Edit tour

Linux Analysis Report
uuC6SqiHEK

Overview

General Information

Sample Name:	uuC6SqiHEK
Analysis ID:	626460
MD5:	772945ce381f38c38472a94893995e6f
SHA1:	62c42fe68280e67aa016afa49f844da73a1d2df1
SHA256:	cfcdff7a98c3829650988decae442e8daaf67cb471d13048ad0d578d8c5f63cf
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626460
Start date and time: 14/05/202203:44:04	2022-05-14 03:44:04 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	uuC6SqiHEK
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.troj.evad.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/uuC6SqiHEK
PID:	6223
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

uuC6SqiHEK (PID: 6223, Parent: 6122, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/uuC6SqiHEK

uuC6SqiHEK New Fork (PID: 6225, Parent: 6223)

uuC6SqiHEK New Fork (PID: 6326, Parent: 6225)

uuC6SqiHEK New Fork (PID: 6328, Parent: 6225)

uuC6SqiHEK New Fork (PID: 6330, Parent: 6328)

uuC6SqiHEK New Fork (PID: 6343, Parent: 6330)

uuC6SqiHEK New Fork (PID: 6345, Parent: 6330)

uuC6SqiHEK New Fork (PID: 6332, Parent: 6328)

uuC6SqiHEK New Fork (PID: 6333, Parent: 6328)

uuC6SqiHEK New Fork (PID: 6226, Parent: 6223)

uuC6SqiHEK New Fork (PID: 6227, Parent: 6223)

uuC6SqiHEK New Fork (PID: 6231, Parent: 6227)

uuC6SqiHEK New Fork (PID: 6337, Parent: 6231)

uuC6SqiHEK New Fork (PID: 6339, Parent: 6231)

uuC6SqiHEK New Fork (PID: 6233, Parent: 6227)

uuC6SqiHEK New Fork (PID: 6234, Parent: 6227)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: uuC6SqiHEK

Virustotal: Detection: 42%

Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32900
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32904
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32906
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32916
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32922

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Source: /tmp/uuC6SqiHEK (PID: 6225)	Socket: 0.0.0.0::0
Source: /tmp/uuC6SqiHEK (PID: 6225)	Socket: 0.0.0.0::23
Source: /tmp/uuC6SqiHEK (PID: 6225)	Socket: 0.0.0.0::53413
Source: /tmp/uuC6SqiHEK (PID: 6225)	Socket: 0.0.0.0::80
Source: /tmp/uuC6SqiHEK (PID: 6225)	Socket: 0.0.0.0::52869
Source: /tmp/uuC6SqiHEK (PID: 6225)	Socket: 0.0.0.0::37215
Source: /tmp/uuC6SqiHEK (PID: 6231)	Socket: 0.0.0.0::0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 81.164.18.153
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.24.117
Source: unknown	TCP traffic detected without corresponding DNS query: 176.255.189.66
Source: unknown	TCP traffic detected without corresponding DNS query: 169.60.0.176
Source: unknown	TCP traffic detected without corresponding DNS query: 158.41.69.167
Source: unknown	TCP traffic detected without corresponding DNS query: 201.168.217.66
Source: unknown	TCP traffic detected without corresponding DNS query: 149.187.54.80
Source: unknown	TCP traffic detected without corresponding DNS query: 186.229.17.36
Source: unknown	TCP traffic detected without corresponding DNS query: 156.122.41.224
Source: unknown	TCP traffic detected without corresponding DNS query: 162.43.188.92
Source: unknown	TCP traffic detected without corresponding DNS query: 80.219.143.79
Source: unknown	TCP traffic detected without corresponding DNS query: 73.215.253.205
Source: unknown	TCP traffic detected without corresponding DNS query: 177.247.14.87
Source: unknown	TCP traffic detected without corresponding DNS query: 170.218.61.135
Source: unknown	TCP traffic detected without corresponding DNS query: 176.229.196.150
Source: unknown	TCP traffic detected without corresponding DNS query: 160.98.192.57
Source: unknown	TCP traffic detected without corresponding DNS query: 73.77.195.60
Source: unknown	TCP traffic detected without corresponding DNS query: 199.95.0.73
Source: unknown	TCP traffic detected without corresponding DNS query: 19.142.189.170
Source: unknown	TCP traffic detected without corresponding DNS query: 178.248.85.9
Source: unknown	TCP traffic detected without corresponding DNS query: 254.184.255.182
Source: unknown	TCP traffic detected without corresponding DNS query: 93.22.122.203
Source: unknown	TCP traffic detected without corresponding DNS query: 178.34.193.211
Source: unknown	TCP traffic detected without corresponding DNS query: 135.200.206.144
Source: unknown	TCP traffic detected without corresponding DNS query: 114.223.243.18
Source: unknown	TCP traffic detected without corresponding DNS query: 164.189.145.57
Source: unknown	TCP traffic detected without corresponding DNS query: 220.108.224.202
Source: unknown	TCP traffic detected without corresponding DNS query: 167.206.70.100
Source: unknown	TCP traffic detected without corresponding DNS query: 93.7.20.188
Source: unknown	TCP traffic detected without corresponding DNS query: 141.156.199.81
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.30.224
Source: unknown	TCP traffic detected without corresponding DNS query: 186.241.155.185
Source: unknown	TCP traffic detected without corresponding DNS query: 223.30.162.238
Source: unknown	TCP traffic detected without corresponding DNS query: 251.194.244.233
Source: unknown	TCP traffic detected without corresponding DNS query: 253.171.246.232
Source: unknown	TCP traffic detected without corresponding DNS query: 35.50.253.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.130.38.27
Source: unknown	TCP traffic detected without corresponding DNS query: 146.193.251.221
Source: unknown	TCP traffic detected without corresponding DNS query: 199.100.229.31
Source: unknown	TCP traffic detected without corresponding DNS query: 253.77.247.140
Source: unknown	TCP traffic detected without corresponding DNS query: 68.103.221.205
Source: unknown	TCP traffic detected without corresponding DNS query: 213.182.0.235
Source: unknown	TCP traffic detected without corresponding DNS query: 77.175.88.85
Source: unknown	TCP traffic detected without corresponding DNS query: 123.30.15.218
Source: unknown	TCP traffic detected without corresponding DNS query: 40.61.201.120
Source: unknown	TCP traffic detected without corresponding DNS query: 60.220.22.152
Source: unknown	TCP traffic detected without corresponding DNS query: 19.32.126.236

Source: uuC6SqiHEK

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: /tmp/uuC6SqiHEK (PID: 6225)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/uuC6SqiHEK (PID: 6231)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal64.troj.evad.lin@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/491/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/793/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/772/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/796/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/774/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/797/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/777/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/799/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/658/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/912/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/759/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/936/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/918/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/1/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/761/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/785/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/884/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/720/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/721/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/788/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/789/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/800/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/801/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/847/fd
Source: /tmp/uuC6SqiHEK (PID: 6231)	File opened: /proc/904/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/491/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/793/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/772/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/796/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/774/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/797/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/777/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/799/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/658/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/912/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/759/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/936/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/918/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/1/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/761/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/785/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/884/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/720/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/721/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/788/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/789/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/800/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/801/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/847/fd
Source: /tmp/uuC6SqiHEK (PID: 6225)	File opened: /proc/904/fd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32898
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32900
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32904
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32906
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32914
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32916
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32920
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 32922

Source: /tmp/uuC6SqiHEK (PID: 6223)

Queries kernel information via 'uname':

Source: uuC6SqiHEK, 6223.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: uuC6SqiHEK, 6223.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp	Binary or memory string: #Zx86_64/usr/bin/qemu-mipsel/tmp/uuC6SqiHEKSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uuC6SqiHEK
Source: uuC6SqiHEK, 6223.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000dd7321fd.00000000cd8ca4c8.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: uuC6SqiHEK, 6223.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6225.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6326.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6343.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6332.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6226.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6337.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp, uuC6SqiHEK, 6233.1.00000000d7e36c8e.00000000ca13ce42.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uuC6SqiHEK	43%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	uuC6SqiHEK	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
106.74.102.98	unknown	China	133118	UNICOM-CNChinaUnicomIPnetworkCN	false
16.145.233.90	unknown	United States	unknown	unknown	false
103.48.197.179	unknown	India	133982	EXCITEL-AS-INExcitelBroadbandPrivateLimitedIN	false
94.65.166.89	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
4.85.99.192	unknown	United States	3356	LEVEL3US	false
244.229.95.159	unknown	Reserved	unknown	unknown	false
198.43.106.103	unknown	United States	8038	6CONNECTUS	false
183.193.97.71	unknown	China	24400	CMNET-V4SHANGHAI-AS-APShanghaiMobileCommunicationsCoLt	false
199.69.193.131	unknown	United States	7018	ATT-INTERNET4US	false
212.49.48.110	unknown	Poland	3327	CITICCITICTelecomCPCNetherlandsBVEE	false
79.52.33.177	unknown	Italy	3269	ASN-IBSNAZIT	false
67.191.151.129	unknown	United States	7922	COMCAST-7922US	false
221.60.81.122	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
159.56.8.217	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
253.158.26.187	unknown	Reserved	unknown	unknown	false
152.70.164.7	unknown	United States	393676	ZENEDGEUS	false
14.46.92.98	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
87.208.121.119	unknown	Netherlands	13127	VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo	false
146.30.9.7	unknown	United States	197938	TRAVIANGAMESDE	false
13.225.38.199	unknown	United States	16509	AMAZON-02US	false
252.118.152.132	unknown	Reserved	unknown	unknown	false
220.134.72.61	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
167.147.188.217	unknown	Canada	25899	LSNETUS	false
133.252.162.131	unknown	Japan	7687	D-CRUISENETTOYOTADIGITALCRUISEINCORPORATEDJP	false
68.46.131.251	unknown	United States	7922	COMCAST-7922US	false
158.178.211.155	unknown	United Kingdom	15830	EQUINIX-CONNECT-EMEAGB	false
201.161.230.122	unknown	Mexico	28549	CableyComunicaciondeCampecheSAdeCVMX	false
66.217.160.194	unknown	United States	7029	WINDSTREAMUS	false
159.82.197.236	unknown	United States	16928	UTCNETUS	false
161.108.200.94	unknown	United States	3955	WANG-US-1US	false
40.207.222.239	unknown	United States	4249	LILLY-ASUS	false
251.107.145.150	unknown	Reserved	unknown	unknown	false
247.21.116.49	unknown	Reserved	unknown	unknown	false
88.8.231.68	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
112.175.44.193	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
37.110.208.188	unknown	Uzbekistan	41202	UNITELUZ	false
91.175.167.230	unknown	France	12322	PROXADFR	false
101.107.22.252	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
117.89.208.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
249.17.141.60	unknown	Reserved	unknown	unknown	false
208.122.146.58	unknown	United States	46476	TTUHSCUS	false
60.238.28.32	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
177.250.111.169	unknown	Paraguay	27866	COPACOPY	false
104.214.47.103	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
174.14.19.141	unknown	United States	6327	SHAWCA	false
193.16.95.100	unknown	Germany	9145	EWETELCloppenburgerStrasse310DE	false
87.85.42.151	unknown	United Kingdom	4589	EASYNETEasynetGlobalServicesEU	false
198.8.229.114	unknown	United States	13540	LIBERTY-MUTUALUS	false
100.184.225.176	unknown	United States	21928	T-MOBILE-AS21928US	false
141.203.224.250	unknown	Austria	6720	MAGWIENAT	false
138.216.43.88	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
39.192.61.34	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
70.186.61.172	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
173.157.32.247	unknown	United States	10507	SPCSUS	false
255.56.80.239	unknown	Reserved	unknown	unknown	false
90.110.42.134	unknown	France	3215	FranceTelecom-OrangeFR	false
24.27.166.110	unknown	United States	10796	TWC-10796-MIDWESTUS	false
64.61.215.85	unknown	United States	32946	RPU-1892US	false
97.170.127.8	unknown	United States	6167	CELLCO-PARTUS	false
42.195.247.73	unknown	China	4249	LILLY-ASUS	false
193.66.92.128	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
98.39.11.74	unknown	United States	7922	COMCAST-7922US	false
162.173.110.34	unknown	United States	21928	T-MOBILE-AS21928US	false
65.11.58.74	unknown	United States	16509	AMAZON-02US	false
115.103.189.181	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
78.218.113.35	unknown	France	12322	PROXADFR	false
170.174.149.73	unknown	United States	11685	HNBCOL-ASUS	false
250.102.71.130	unknown	Reserved	unknown	unknown	false
97.173.157.158	unknown	United States	6167	CELLCO-PARTUS	false
251.153.15.216	unknown	Reserved	unknown	unknown	false
202.124.2.146	unknown	Japan	18126	CTCXChubuTelecommunicationsCompanyIncJP	false
172.75.225.48	unknown	United States	11426	TWC-11426-CAROLINASUS	false
157.54.61.122	unknown	United States	3598	MICROSOFT-CORP-ASUS	false
142.165.15.143	unknown	Canada	803	SASKTELCA	false
116.240.246.240	unknown	Australia	9443	VOCUS-RETAIL-AUVocusRetailAU	false
20.229.247.194	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
96.120.35.241	unknown	United States	7922	COMCAST-7922US	false
54.118.15.136	unknown	United States	16509	AMAZON-02US	false
31.226.141.94	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
206.171.177.30	unknown	United States	7018	ATT-INTERNET4US	false
17.93.233.237	unknown	United States	714	APPLE-ENGINEERINGUS	false
87.80.16.160	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
117.246.144.137	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
187.46.78.46	unknown	Brazil	26615	TIMSABR	false
39.145.157.157	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
105.77.140.180	unknown	Morocco	36884	MAROCCONNECTMA	false
37.246.127.6	unknown	Moldova Republic of	57598	FIBERHOP-ASNMD	false
93.77.136.84	unknown	Ukraine	25229	VOLIA-ASUA	false
184.9.206.96	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
79.73.27.61	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	false
81.170.168.42	unknown	Sweden	8473	BAHNHOFhttpwwwbahnhofnetSE	false
171.29.63.199	unknown	United Kingdom	34457	AMB-GENERALIDE	false
204.176.239.53	unknown	United States	701	UUNETUS	false
19.1.83.197	unknown	United States	3	MIT-GATEWAYSUS	false
130.190.252.22	unknown	France	1942	FR-TIGREToileInformatiqueGREnobloiseEU	false
113.109.71.95	unknown	China	4816	CHINANET-IDC-GDChinaTelecomGroupCN	false
156.226.9.176	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
155.58.195.100	unknown	United States	23366	LSUHEALTHSCIENCESCTRUS	false
36.46.16.113	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
201.115.242.113	unknown	Mexico	8151	UninetSAdeCVMX	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.87857528714088
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	uuC6SqiHEK
File size:	27244
MD5:	772945ce381f38c38472a94893995e6f
SHA1:	62c42fe68280e67aa016afa49f844da73a1d2df1
SHA256:	cfcdff7a98c3829650988decae442e8daaf67cb471d13048ad0d578d8c5f63cf
SHA512:	a2d3b5264ed4754a4c639fa28dc1076f98e99d3b3e4ce25dcfe99e4335842186b431ff11011617e9a27a02e5148c92f3721aa3b6010902763724958791a17bd4
SSDEEP:	768:MLCUFskb2JgIs/E2+OocrfJiHNjfmQ2q7IoqdBqWn:oCrJgHiOJrfwmQrctH
TLSH:	91C2E1DFB49A38C5CD1C5CBC219D5AD115B992C7334A8F0837502DCDA57645FB8AC8B8
File Content Preview:	.ELF.....................V..4...........4. ...(.....................Ei..Ei....................E...E....................tUPX!d.......T...T.......T..........?.E.h;....#......b.L#4E..,,....M..D{c....j;.D .A....~.....hE.:.O........L..N.7g..\....R.............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x105608
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x6945	0x6945	4.1994	0x5	R E	0x10000
LOAD	0x18c0	0x4518c0	0x4518c0	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 03:44:50.037815094 CEST	42836	443	192.168.2.23	91.189.91.43
May 14, 2022 03:44:51.061796904 CEST	42516	80	192.168.2.23	109.202.202.202
May 14, 2022 03:44:51.643457890 CEST	60988	1312	192.168.2.23	107.172.197.117
May 14, 2022 03:44:51.660052061 CEST	2031	23	192.168.2.23	81.164.18.153
May 14, 2022 03:44:51.660134077 CEST	2031	23	192.168.2.23	81.190.24.117
May 14, 2022 03:44:51.660180092 CEST	2031	23	192.168.2.23	176.255.189.66
May 14, 2022 03:44:51.660214901 CEST	2031	23	192.168.2.23	169.60.0.176
May 14, 2022 03:44:51.660231113 CEST	2031	23	192.168.2.23	158.41.69.167
May 14, 2022 03:44:51.660240889 CEST	2031	23	192.168.2.23	201.168.217.66
May 14, 2022 03:44:51.660265923 CEST	2031	23	192.168.2.23	149.187.54.80
May 14, 2022 03:44:51.660274029 CEST	2031	23	192.168.2.23	186.229.17.36
May 14, 2022 03:44:51.660299063 CEST	2031	23	192.168.2.23	156.122.41.224
May 14, 2022 03:44:51.660305023 CEST	2031	23	192.168.2.23	162.43.188.92
May 14, 2022 03:44:51.660320044 CEST	2031	23	192.168.2.23	80.219.143.79
May 14, 2022 03:44:51.660339117 CEST	2031	23	192.168.2.23	73.215.253.205
May 14, 2022 03:44:51.660339117 CEST	2031	23	192.168.2.23	177.247.14.87
May 14, 2022 03:44:51.660355091 CEST	2031	23	192.168.2.23	170.218.61.135
May 14, 2022 03:44:51.660356045 CEST	2031	23	192.168.2.23	176.229.196.150
May 14, 2022 03:44:51.660382032 CEST	2031	23	192.168.2.23	160.98.192.57
May 14, 2022 03:44:51.660398006 CEST	2031	23	192.168.2.23	73.77.195.60
May 14, 2022 03:44:51.660427094 CEST	2031	23	192.168.2.23	199.95.0.73
May 14, 2022 03:44:51.660460949 CEST	2031	23	192.168.2.23	90.10.31.33
May 14, 2022 03:44:51.660465956 CEST	2031	23	192.168.2.23	19.142.189.170
May 14, 2022 03:44:51.660496950 CEST	2031	23	192.168.2.23	178.248.85.9
May 14, 2022 03:44:51.660499096 CEST	2031	23	192.168.2.23	254.184.255.182
May 14, 2022 03:44:51.660502911 CEST	2031	23	192.168.2.23	93.22.122.203
May 14, 2022 03:44:51.660511017 CEST	2031	23	192.168.2.23	178.34.193.211
May 14, 2022 03:44:51.660559893 CEST	2031	23	192.168.2.23	135.200.206.144
May 14, 2022 03:44:51.660572052 CEST	2031	23	192.168.2.23	114.223.243.18
May 14, 2022 03:44:51.660579920 CEST	2031	23	192.168.2.23	164.189.145.57
May 14, 2022 03:44:51.660615921 CEST	2031	23	192.168.2.23	220.108.224.202
May 14, 2022 03:44:51.660619020 CEST	2031	23	192.168.2.23	167.206.70.100
May 14, 2022 03:44:51.660641909 CEST	2031	23	192.168.2.23	93.7.20.188
May 14, 2022 03:44:51.660650015 CEST	2031	23	192.168.2.23	141.156.199.81
May 14, 2022 03:44:51.660655022 CEST	2031	23	192.168.2.23	23.61.30.224
May 14, 2022 03:44:51.660659075 CEST	2031	23	192.168.2.23	186.241.155.185
May 14, 2022 03:44:51.660666943 CEST	2031	23	192.168.2.23	223.30.162.238
May 14, 2022 03:44:51.660676956 CEST	2031	23	192.168.2.23	251.194.244.233
May 14, 2022 03:44:51.660681009 CEST	2031	23	192.168.2.23	210.77.27.194
May 14, 2022 03:44:51.660685062 CEST	2031	23	192.168.2.23	253.171.246.232
May 14, 2022 03:44:51.660705090 CEST	2031	23	192.168.2.23	16.210.45.107
May 14, 2022 03:44:51.660732985 CEST	2031	23	192.168.2.23	35.50.253.208
May 14, 2022 03:44:51.660757065 CEST	2031	23	192.168.2.23	204.130.38.27
May 14, 2022 03:44:51.660825014 CEST	2031	23	192.168.2.23	146.193.251.221
May 14, 2022 03:44:51.660829067 CEST	2031	23	192.168.2.23	199.100.229.31
May 14, 2022 03:44:51.660840988 CEST	2031	23	192.168.2.23	253.77.247.140
May 14, 2022 03:44:51.660856962 CEST	2031	23	192.168.2.23	68.103.221.205
May 14, 2022 03:44:51.660864115 CEST	2031	23	192.168.2.23	213.182.0.235
May 14, 2022 03:44:51.660871029 CEST	2031	23	192.168.2.23	77.175.88.85
May 14, 2022 03:44:51.660881042 CEST	2031	23	192.168.2.23	123.30.15.218
May 14, 2022 03:44:51.660916090 CEST	2031	23	192.168.2.23	40.61.201.120
May 14, 2022 03:44:51.660921097 CEST	2031	23	192.168.2.23	60.220.22.152
May 14, 2022 03:44:51.660929918 CEST	2031	23	192.168.2.23	19.32.126.236
May 14, 2022 03:44:51.660940886 CEST	2031	23	192.168.2.23	161.92.22.160
May 14, 2022 03:44:51.660965919 CEST	2031	23	192.168.2.23	79.81.133.233
May 14, 2022 03:44:51.660978079 CEST	2031	23	192.168.2.23	14.241.184.188
May 14, 2022 03:44:51.660988092 CEST	2031	23	192.168.2.23	17.252.251.59
May 14, 2022 03:44:51.660996914 CEST	2031	23	192.168.2.23	133.151.14.218
May 14, 2022 03:44:51.661021948 CEST	2031	23	192.168.2.23	160.185.48.34
May 14, 2022 03:44:51.661070108 CEST	2031	23	192.168.2.23	188.3.235.182
May 14, 2022 03:44:51.661082029 CEST	2031	23	192.168.2.23	196.86.236.160
May 14, 2022 03:44:51.661084890 CEST	2031	23	192.168.2.23	201.1.207.238
May 14, 2022 03:44:51.661104918 CEST	2031	23	192.168.2.23	170.245.45.23
May 14, 2022 03:44:51.661114931 CEST	2031	23	192.168.2.23	4.154.162.247
May 14, 2022 03:44:51.661137104 CEST	2031	23	192.168.2.23	62.177.172.85
May 14, 2022 03:44:51.661139965 CEST	2031	23	192.168.2.23	108.27.30.228
May 14, 2022 03:44:51.661150932 CEST	2031	23	192.168.2.23	167.70.89.236
May 14, 2022 03:44:51.661184072 CEST	2031	23	192.168.2.23	107.57.86.129
May 14, 2022 03:44:51.661201954 CEST	2031	23	192.168.2.23	246.62.10.131
May 14, 2022 03:44:51.661207914 CEST	2031	23	192.168.2.23	194.66.158.245
May 14, 2022 03:44:51.661226034 CEST	2031	23	192.168.2.23	23.183.63.170
May 14, 2022 03:44:51.661247969 CEST	2031	23	192.168.2.23	86.19.110.108
May 14, 2022 03:44:51.661267042 CEST	2031	23	192.168.2.23	86.108.11.197
May 14, 2022 03:44:51.661293983 CEST	2031	23	192.168.2.23	185.231.66.188
May 14, 2022 03:44:51.661302090 CEST	2031	23	192.168.2.23	220.110.147.111
May 14, 2022 03:44:51.661326885 CEST	2031	23	192.168.2.23	208.196.58.49
May 14, 2022 03:44:51.661333084 CEST	2031	23	192.168.2.23	12.100.139.252
May 14, 2022 03:44:51.661350012 CEST	2031	23	192.168.2.23	167.30.228.233
May 14, 2022 03:44:51.661350965 CEST	2031	23	192.168.2.23	17.111.92.89
May 14, 2022 03:44:51.661355019 CEST	2031	23	192.168.2.23	41.14.86.82
May 14, 2022 03:44:51.661361933 CEST	2031	23	192.168.2.23	188.72.99.90
May 14, 2022 03:44:51.661384106 CEST	2031	23	192.168.2.23	39.235.70.88
May 14, 2022 03:44:51.661392927 CEST	2031	23	192.168.2.23	77.26.161.34
May 14, 2022 03:44:51.661405087 CEST	2031	23	192.168.2.23	135.29.74.36
May 14, 2022 03:44:51.661413908 CEST	2031	23	192.168.2.23	27.41.42.64
May 14, 2022 03:44:51.661417961 CEST	2031	23	192.168.2.23	121.59.159.169
May 14, 2022 03:44:51.661426067 CEST	2031	23	192.168.2.23	249.155.71.75
May 14, 2022 03:44:51.661449909 CEST	2031	23	192.168.2.23	46.95.181.171
May 14, 2022 03:44:51.661462069 CEST	2031	23	192.168.2.23	32.14.142.38
May 14, 2022 03:44:51.661473036 CEST	2031	23	192.168.2.23	27.27.40.211
May 14, 2022 03:44:51.661478996 CEST	2031	23	192.168.2.23	132.2.194.218
May 14, 2022 03:44:51.661501884 CEST	2031	23	192.168.2.23	208.2.114.239
May 14, 2022 03:44:51.661506891 CEST	2031	23	192.168.2.23	201.115.242.113
May 14, 2022 03:44:51.661509991 CEST	2031	23	192.168.2.23	88.211.34.113
May 14, 2022 03:44:51.661521912 CEST	2031	23	192.168.2.23	92.92.211.101
May 14, 2022 03:44:51.661524057 CEST	2031	23	192.168.2.23	109.44.84.197
May 14, 2022 03:44:51.661556005 CEST	2031	23	192.168.2.23	212.79.85.245
May 14, 2022 03:44:51.661577940 CEST	2031	23	192.168.2.23	165.89.236.144
May 14, 2022 03:44:51.661577940 CEST	2031	23	192.168.2.23	159.63.72.111
May 14, 2022 03:44:51.661602020 CEST	2031	23	192.168.2.23	17.101.130.62

System Behavior

Analysis Process: uuC6SqiHEK PID: 6223, Parent PID: 6122

General

Start time:	03:44:50
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	/tmp/uuC6SqiHEK
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6225, Parent PID: 6223

General

Start time:	03:44:50
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6326, Parent PID: 6225

General

Start time:	03:47:42
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6328, Parent PID: 6225

General

Start time:	03:47:42
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6330, Parent PID: 6328

General

Start time:	03:47:42
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6343, Parent PID: 6330

General

Start time:	03:47:47
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6345, Parent PID: 6330

General

Start time:	03:47:47
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6332, Parent PID: 6328

General

Start time:	03:47:42
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6333, Parent PID: 6328

General

Start time:	03:47:42
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6226, Parent PID: 6223

General

Start time:	03:44:50
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6227, Parent PID: 6223

General

Start time:	03:44:50
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6231, Parent PID: 6227

General

Start time:	03:44:50
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6337, Parent PID: 6231

General

Start time:	03:47:43
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6339, Parent PID: 6231

General

Start time:	03:47:43
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6233, Parent PID: 6227

General

Start time:	03:44:51
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: uuC6SqiHEK PID: 6234, Parent PID: 6227

General

Start time:	03:44:51
Start date:	14/05/2022
Path:	/tmp/uuC6SqiHEK
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report uuC6SqiHEK

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: uuC6SqiHEK PID: 6223, Parent PID: 6122

General

Analysis Process: uuC6SqiHEK PID: 6225, Parent PID: 6223

General

Analysis Process: uuC6SqiHEK PID: 6326, Parent PID: 6225

General

Analysis Process: uuC6SqiHEK PID: 6328, Parent PID: 6225

General

Analysis Process: uuC6SqiHEK PID: 6330, Parent PID: 6328

General

Analysis Process: uuC6SqiHEK PID: 6343, Parent PID: 6330

General

Analysis Process: uuC6SqiHEK PID: 6345, Parent PID: 6330

General

Analysis Process: uuC6SqiHEK PID: 6332, Parent PID: 6328

General

Analysis Process: uuC6SqiHEK PID: 6333, Parent PID: 6328

General

Analysis Process: uuC6SqiHEK PID: 6226, Parent PID: 6223

General

Linux Analysis Report
uuC6SqiHEK