Edit tour

Linux Analysis Report
gMILf8mqrF

Overview

General Information

Sample Name:	gMILf8mqrF
Analysis ID:	626462
MD5:	99c3d6016731dde0f6250297a8b34a0c
SHA1:	04d7db19cff22d044a021cdd2437e1c16d933f27
SHA256:	b8e66976f2adb09012e4c737a933d0d88c47da185d5003b7c97df2a5aad3c93d
Tags:	32elfmirairenesas
Infos:

Detection

Mirai

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample tries to kill multiple processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626462
Start date and time: 14/05/202203:54:59	2022-05-14 03:54:59 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	gMILf8mqrF
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal60.spre.troj.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/gMILf8mqrF
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

gMILf8mqrF (PID: 6230, Parent: 6132, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/gMILf8mqrF

gMILf8mqrF New Fork (PID: 6232, Parent: 6230)

gMILf8mqrF New Fork (PID: 6233, Parent: 6230)

gMILf8mqrF New Fork (PID: 6234, Parent: 6230)

gMILf8mqrF New Fork (PID: 6238, Parent: 6234)

gMILf8mqrF New Fork (PID: 6336, Parent: 6238)

gMILf8mqrF New Fork (PID: 6338, Parent: 6238)

gMILf8mqrF New Fork (PID: 6239, Parent: 6234)

gMILf8mqrF New Fork (PID: 6240, Parent: 6234)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: gMILf8mqrF

Virustotal: Detection: 54%

Perma Link

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Source: /tmp/gMILf8mqrF (PID: 6232)	Socket: 0.0.0.0::0
Source: /tmp/gMILf8mqrF (PID: 6232)	Socket: 0.0.0.0::53413
Source: /tmp/gMILf8mqrF (PID: 6232)	Socket: 0.0.0.0::80
Source: /tmp/gMILf8mqrF (PID: 6238)	Socket: 0.0.0.0::0
Source: /tmp/gMILf8mqrF (PID: 6238)	Socket: 0.0.0.0::53413
Source: /tmp/gMILf8mqrF (PID: 6238)	Socket: 0.0.0.0::80

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 213.129.154.49
Source: unknown	TCP traffic detected without corresponding DNS query: 216.32.97.63
Source: unknown	TCP traffic detected without corresponding DNS query: 133.189.1.49
Source: unknown	TCP traffic detected without corresponding DNS query: 177.244.92.136
Source: unknown	TCP traffic detected without corresponding DNS query: 182.76.119.167
Source: unknown	TCP traffic detected without corresponding DNS query: 150.237.112.224
Source: unknown	TCP traffic detected without corresponding DNS query: 121.97.30.182
Source: unknown	TCP traffic detected without corresponding DNS query: 12.111.43.198
Source: unknown	TCP traffic detected without corresponding DNS query: 41.248.250.130
Source: unknown	TCP traffic detected without corresponding DNS query: 18.253.183.27
Source: unknown	TCP traffic detected without corresponding DNS query: 39.246.4.58
Source: unknown	TCP traffic detected without corresponding DNS query: 251.190.208.151
Source: unknown	TCP traffic detected without corresponding DNS query: 206.12.190.247
Source: unknown	TCP traffic detected without corresponding DNS query: 220.197.164.9
Source: unknown	TCP traffic detected without corresponding DNS query: 170.5.115.245
Source: unknown	TCP traffic detected without corresponding DNS query: 120.171.23.24
Source: unknown	TCP traffic detected without corresponding DNS query: 98.65.121.73
Source: unknown	TCP traffic detected without corresponding DNS query: 206.3.212.70
Source: unknown	TCP traffic detected without corresponding DNS query: 163.162.159.38
Source: unknown	TCP traffic detected without corresponding DNS query: 135.46.170.2
Source: unknown	TCP traffic detected without corresponding DNS query: 72.205.56.179
Source: unknown	TCP traffic detected without corresponding DNS query: 17.51.219.140
Source: unknown	TCP traffic detected without corresponding DNS query: 161.57.231.34
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.252.61
Source: unknown	TCP traffic detected without corresponding DNS query: 101.135.169.159
Source: unknown	TCP traffic detected without corresponding DNS query: 201.57.221.109
Source: unknown	TCP traffic detected without corresponding DNS query: 253.247.195.111
Source: unknown	TCP traffic detected without corresponding DNS query: 146.188.121.222
Source: unknown	TCP traffic detected without corresponding DNS query: 178.169.154.103
Source: unknown	TCP traffic detected without corresponding DNS query: 141.250.189.52
Source: unknown	TCP traffic detected without corresponding DNS query: 163.95.207.89
Source: unknown	TCP traffic detected without corresponding DNS query: 82.127.98.89
Source: unknown	TCP traffic detected without corresponding DNS query: 117.229.130.151
Source: unknown	TCP traffic detected without corresponding DNS query: 121.34.81.173
Source: unknown	TCP traffic detected without corresponding DNS query: 203.58.137.169
Source: unknown	TCP traffic detected without corresponding DNS query: 116.224.119.116
Source: unknown	TCP traffic detected without corresponding DNS query: 174.232.112.218
Source: unknown	TCP traffic detected without corresponding DNS query: 18.1.223.36
Source: unknown	TCP traffic detected without corresponding DNS query: 181.219.238.195
Source: unknown	TCP traffic detected without corresponding DNS query: 216.83.77.238
Source: unknown	TCP traffic detected without corresponding DNS query: 61.206.101.69
Source: unknown	TCP traffic detected without corresponding DNS query: 66.139.13.92
Source: unknown	TCP traffic detected without corresponding DNS query: 165.37.167.98
Source: unknown	TCP traffic detected without corresponding DNS query: 70.191.73.229
Source: unknown	TCP traffic detected without corresponding DNS query: 97.115.61.119
Source: unknown	TCP traffic detected without corresponding DNS query: 31.116.247.118
Source: unknown	TCP traffic detected without corresponding DNS query: 243.133.231.121
Source: unknown	TCP traffic detected without corresponding DNS query: 182.245.91.15

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/gMILf8mqrF (PID: 6232)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 6232, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 6240, result: successful

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/gMILf8mqrF (PID: 6232)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2208, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2275, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2281, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2285, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2289, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 2294, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 6232, result: successful
Source: /tmp/gMILf8mqrF (PID: 6238)	SIGKILL sent: pid: 6240, result: successful

Source: classification engine

Classification label: mal60.spre.troj.lin@0/0@0/0

Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/491/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/793/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/772/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/796/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/774/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/797/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/777/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/799/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/658/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/912/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/759/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/936/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/918/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/1/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/761/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/785/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/884/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/720/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/721/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/788/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/789/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/800/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/801/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/847/fd
Source: /tmp/gMILf8mqrF (PID: 6232)	File opened: /proc/904/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/6232/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/6112/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1582/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2033/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2275/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/3088/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/6195/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/6194/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1612/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1579/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1699/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1335/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1698/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2028/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1334/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1576/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2302/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/3236/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2025/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2146/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/910/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/912/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/912/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/912/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/759/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/759/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/759/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/517/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2307/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/918/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/918/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/918/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/6240/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/6245/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1594/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2285/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2281/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1349/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1623/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/761/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/761/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/761/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1622/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/884/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/884/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/884/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1983/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2038/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1344/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1465/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1586/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1860/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1463/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2156/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/800/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/800/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/800/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/801/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/801/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/801/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1629/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1627/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1900/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/3021/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/491/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/491/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/491/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2294/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/2050/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1877/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/772/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/772/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/772/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1633/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1599/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/1632/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/774/fd
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/774/exe
Source: /tmp/gMILf8mqrF (PID: 6238)	File opened: /proc/774/fd

Source: /tmp/gMILf8mqrF (PID: 6230)

Queries kernel information via 'uname':

Source: gMILf8mqrF, 6336.1.00000000b54aaeaa.00000000c0fa3b07.rw-.sdmp	Binary or memory string: U/sh4/0 /proc/491/fd/69!/proc/777/fd/22/sh4/pro1/proc/2242/exe/sh4/0!/proc/491/fd/70!/proc/777/fd/19/sh4/pro1/usr/bin/vmtoolsdh4/0!/proc/491/fd/71!/proc/777/fd/18/sh4/pro1@uN
Source: gMILf8mqrF, 6230.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6232.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6233.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6336.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6336.1.00000000b54aaeaa.00000000c0fa3b07.rw-.sdmp, gMILf8mqrF, 6239.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6240.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: gMILf8mqrF, 6336.1.00000000b54aaeaa.00000000c0fa3b07.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: gMILf8mqrF, 6230.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6232.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6233.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6336.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6239.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6240.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp	Binary or memory string: U5!/etc/qemu-binfmt/sh4
Source: gMILf8mqrF, 6230.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6232.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6233.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6336.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6239.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp, gMILf8mqrF, 6240.1.0000000004094d85.00000000b54aaeaa.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sh4
Source: gMILf8mqrF, 6230.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6232.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6233.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6336.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6239.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp, gMILf8mqrF, 6240.1.000000006bf7d72d.000000003bdfd3eb.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/gMILf8mqrFSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gMILf8mqrF
Source: gMILf8mqrF, 6336.1.00000000b54aaeaa.00000000c0fa3b07.rw-.sdmp	Binary or memory string: U/sh4/ro10 /usr/bin/qemu-sh4!/proc/797/fd/341

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Service Stop
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gMILf8mqrF	54%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.130.59.67	unknown	Russian Federation	31200	NTKIPv6customersRU	false
253.193.91.206	unknown	Reserved	unknown	unknown	false
61.131.219.72	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
218.255.246.194	unknown	Hong Kong	9381	HKBNES-AS-APHKBNEnterpriseSolutionsHKLimitedHK	false
59.229.48.249	unknown	China	2516	KDDIKDDICORPORATIONJP	false
182.19.118.89	unknown	India	55410	VIL-AS-APVodafoneIdeaLtdIN	false
243.125.49.211	unknown	Reserved	unknown	unknown	false
125.235.32.200	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
219.251.6.95	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
200.11.55.183	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
27.20.50.202	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
94.20.234.136	unknown	Azerbaijan	199731	NAKHINTERNET-ISPAZ	false
240.110.9.117	unknown	Reserved	unknown	unknown	false
188.16.83.46	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
53.253.167.255	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
212.63.201.16	unknown	Sweden	30880	SPACEDUMP-ASThisASNislocatedonSTHIXatTulegatanStoka	false
41.18.58.7	unknown	South Africa	29975	VODACOM-ZA	false
175.94.151.153	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
246.173.102.76	unknown	Reserved	unknown	unknown	false
126.139.123.184	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
64.11.221.42	unknown	United States	701	UUNETUS	false
249.222.27.173	unknown	Reserved	unknown	unknown	false
209.222.208.244	unknown	United States	557	UMAINE-SYS-ASUS	false
113.250.232.206	unknown	China	134420	CHINATELECOM-CHONGQING-IDCChongqingTelecomCN	false
166.57.27.171	unknown	United States	19554	OPENTEXT-AS-NA-US6CA	false
110.39.118.227	unknown	Pakistan	38264	WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK	false
151.193.146.155	unknown	United States	6334	ASN-TSGUS	false
39.217.19.19	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
212.24.4.193	unknown	Italy	8612	TISCALI-IT	false
217.249.232.6	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
145.241.91.92	unknown	Switzerland	8447	TELEKOM-ATA1TelekomAustriaAGAT	false
82.37.45.39	unknown	United Kingdom	5089	NTLGB	false
152.169.125.252	unknown	Argentina	10318	TelecomArgentinaSAAR	false
109.101.200.5	unknown	Romania	9050	RTDBucharestRomaniaRO	false
57.208.217.15	unknown	Belgium	2686	ATGS-MMD-ASUS	false
71.76.152.130	unknown	United States	11426	TWC-11426-CAROLINASUS	false
210.110.159.189	unknown	Korea Republic of	1237	KREONET-AS-KRKISTIKR	false
80.185.114.102	unknown	France	41272	MOSELLE-TELECOM-ASFR	false
108.252.55.128	unknown	United States	7018	ATT-INTERNET4US	false
174.187.89.108	unknown	United States	7922	COMCAST-7922US	false
188.79.160.225	unknown	Spain	12479	UNI2-ASES	false
157.237.192.129	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
178.16.20.4	unknown	Latvia	12993	DEAC-ASLV	false
202.71.176.146	unknown	Philippines	23887	PRODATA-TRANSIT-AS-APPRODATANETINCPH	false
152.196.138.178	unknown	United States	701	UUNETUS	false
159.164.19.159	unknown	United States	34058	LIFECELL-ASUA	false
245.233.102.192	unknown	Reserved	unknown	unknown	false
179.14.144.190	unknown	Colombia	27831	ColombiaMovilCO	false
73.43.185.123	unknown	United States	7922	COMCAST-7922US	false
116.241.236.133	unknown	Taiwan; Republic of China (ROC)	131596	TBCOM-NETTBCTW	false
120.126.216.99	unknown	Taiwan; Republic of China (ROC)	17716	NTU-TWNationalTaiwanUniversityTW	false
88.60.130.79	unknown	Italy	3269	ASN-IBSNAZIT	false
60.11.103.222	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
16.182.188.57	unknown	United States	unknown	unknown	false
168.247.60.41	unknown	United States	14725	AS14725US	false
190.139.224.79	unknown	Argentina	7303	TelecomArgentinaSAAR	false
5.71.227.102	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
175.89.217.126	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
210.113.79.19	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
4.86.31.190	unknown	United States	3356	LEVEL3US	false
85.154.72.177	unknown	Oman	28885	OMANTEL-NAP-ASOmanTelNAPOM	false
150.253.133.51	unknown	United States	13445	13445US	false
102.123.192.249	unknown	Sudan	36972	MTNSD	false
211.192.59.225	unknown	Korea Republic of	10056	HDMF-ASHyundaiMarinFireInsuranceKR	false
162.247.33.147	unknown	United States	27288	DPCHICO-1US	false
211.88.78.13	unknown	China	9306	CIECC-AS-APChinaInternationalElectronicCommerceCenter	false
1.91.93.97	unknown	China	17429	BGCTVNETBEIJINGGEHUACATVNETWORKCOLTDCN	false
253.179.92.208	unknown	Reserved	unknown	unknown	false
111.83.65.196	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
160.162.164.203	unknown	Morocco	6713	IAM-ASMA	false
39.167.213.249	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
75.22.81.22	unknown	United States	7018	ATT-INTERNET4US	false
186.78.102.25	unknown	Chile	7418	TELEFONICACHILESACL	false
76.22.8.4	unknown	United States	7922	COMCAST-7922US	false
216.73.67.57	unknown	Canada	16796	MERLIN-NETCA	false
98.16.59.135	unknown	United States	7029	WINDSTREAMUS	false
252.184.40.166	unknown	Reserved	unknown	unknown	false
217.39.104.153	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
91.247.53.227	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
20.161.73.56	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
43.175.60.76	unknown	Japan	4249	LILLY-ASUS	false
185.68.126.241	unknown	Germany	201857	LIVEDNSIL	false
86.106.208.11	unknown	Moldova Republic of	8926	MOLDTELECOM-ASMoldtelecomAutonomousSystemMD	false
8.108.197.6	unknown	United States	3356	LEVEL3US	false
195.113.134.18	unknown	Czech Republic	2852	CESNET2CZ	false
162.123.36.102	unknown	United States	11857	AEGONUSAUS	false
95.214.223.157	unknown	Germany	35258	ITOSSDE	false
166.199.204.247	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
43.138.15.193	unknown	Japan	4249	LILLY-ASUS	false
210.149.42.42	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
20.155.58.155	unknown	United States	15917	CSC-UK-MWHGB	false
193.167.161.254	unknown	Finland	1741	FUNETASFI	false
92.14.0.116	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
68.54.35.240	unknown	United States	7922	COMCAST-7922US	false
121.61.61.154	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
98.52.67.142	unknown	United States	7922	COMCAST-7922US	false
79.250.86.211	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
160.72.37.113	unknown	United States	46887	LIGHTOWERUS	false
57.126.25.127	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
208.39.80.4	unknown	United States	11303	DATARETURNUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.7673345491931025
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	gMILf8mqrF
File size:	51584
MD5:	99c3d6016731dde0f6250297a8b34a0c
SHA1:	04d7db19cff22d044a021cdd2437e1c16d933f27
SHA256:	b8e66976f2adb09012e4c737a933d0d88c47da185d5003b7c97df2a5aad3c93d
SHA512:	5755cdd41c9c29c0d4703f5d495299b1b29b97c4081cc90528949a5d9525924c8c2f75cffdd7547393dc941e12f1d6dca88beaec4bc10832610f17ec2af3f60d
SSDEEP:	768:jaixFwtLSYAagMo0ebH4/ZvQX3hyWfs3INgCJUU/qMCqKomQRCvf:jaQFwtOGBvQXxfs3kgCJt/qMF/RCvf
TLSH:	8B337CB5C579EDE8D1144A78BE248E749723E100C6932EFADA44C6A99083EFCF5583F4
File Content Preview:	.ELF.....................@.4...........4. ...(...............@...@.<...<...............@...@.A.@.A.p...............Q.td............................././"O.n........#.@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	<unknown>
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4001a0
Flags:	0x9
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	51184
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x30	0x0	0x6	AX	4
.text	PROGBITS	0x4000e0	0xe0	0xbf40	0x0	0x6	AX	32
.fini	PROGBITS	0x40c020	0xc020	0x24	0x0	0x6	AX	4
.rodata	PROGBITS	0x40c044	0xc044	0x5f8	0x0	0x2	A	4
.ctors	PROGBITS	0x41c640	0xc640	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41c648	0xc648	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x41c654	0xc654	0x15c	0x0	0x3	WA	4
.bss	NOBITS	0x41c7b0	0xc7b0	0x280	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xc7b0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xc63c	0xc63c	4.6306	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xc640	0x41c640	0x41c640	0x170	0x3f0	0.4302	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 03:55:48.846714973 CEST	42836	443	192.168.2.23	91.189.91.43
May 14, 2022 03:55:49.354109049 CEST	60988	1312	192.168.2.23	107.172.197.117
May 14, 2022 03:55:49.384078026 CEST	30261	23	192.168.2.23	213.129.154.49
May 14, 2022 03:55:49.384080887 CEST	30261	23	192.168.2.23	216.32.97.63
May 14, 2022 03:55:49.384084940 CEST	30261	23	192.168.2.23	133.189.1.49
May 14, 2022 03:55:49.384093046 CEST	30261	23	192.168.2.23	177.244.92.136
May 14, 2022 03:55:49.384119034 CEST	30261	23	192.168.2.23	182.76.119.167
May 14, 2022 03:55:49.384143114 CEST	30261	23	192.168.2.23	150.237.112.224
May 14, 2022 03:55:49.384171963 CEST	30261	23	192.168.2.23	121.97.30.182
May 14, 2022 03:55:49.384179115 CEST	30261	23	192.168.2.23	12.111.43.198
May 14, 2022 03:55:49.384182930 CEST	30261	23	192.168.2.23	41.248.250.130
May 14, 2022 03:55:49.384186029 CEST	30261	23	192.168.2.23	18.253.183.27
May 14, 2022 03:55:49.384198904 CEST	30261	23	192.168.2.23	39.246.4.58
May 14, 2022 03:55:49.384206057 CEST	30261	23	192.168.2.23	251.190.208.151
May 14, 2022 03:55:49.384215117 CEST	30261	23	192.168.2.23	206.12.190.247
May 14, 2022 03:55:49.384244919 CEST	30261	23	192.168.2.23	220.197.164.9
May 14, 2022 03:55:49.384258032 CEST	30261	23	192.168.2.23	170.5.115.245
May 14, 2022 03:55:49.384350061 CEST	30261	23	192.168.2.23	120.171.23.24
May 14, 2022 03:55:49.384354115 CEST	30261	23	192.168.2.23	98.65.121.73
May 14, 2022 03:55:49.384377956 CEST	30261	23	192.168.2.23	206.3.212.70
May 14, 2022 03:55:49.384391069 CEST	30261	23	192.168.2.23	163.162.159.38
May 14, 2022 03:55:49.384393930 CEST	30261	23	192.168.2.23	135.46.170.2
May 14, 2022 03:55:49.384394884 CEST	30261	23	192.168.2.23	72.205.56.179
May 14, 2022 03:55:49.384399891 CEST	30261	23	192.168.2.23	17.51.219.140
May 14, 2022 03:55:49.384407997 CEST	30261	23	192.168.2.23	161.57.231.34
May 14, 2022 03:55:49.384407997 CEST	30261	23	192.168.2.23	81.161.252.61
May 14, 2022 03:55:49.384413004 CEST	30261	23	192.168.2.23	101.135.169.159
May 14, 2022 03:55:49.384421110 CEST	30261	23	192.168.2.23	201.57.221.109
May 14, 2022 03:55:49.384442091 CEST	30261	23	192.168.2.23	253.247.195.111
May 14, 2022 03:55:49.384442091 CEST	30261	23	192.168.2.23	146.188.121.222
May 14, 2022 03:55:49.384444952 CEST	30261	23	192.168.2.23	178.169.154.103
May 14, 2022 03:55:49.384448051 CEST	30261	23	192.168.2.23	141.250.189.52
May 14, 2022 03:55:49.384464025 CEST	30261	23	192.168.2.23	163.95.207.89
May 14, 2022 03:55:49.384586096 CEST	30261	23	192.168.2.23	82.127.98.89
May 14, 2022 03:55:49.384593964 CEST	30261	23	192.168.2.23	117.229.130.151
May 14, 2022 03:55:49.384610891 CEST	30261	23	192.168.2.23	113.94.110.21
May 14, 2022 03:55:49.384614944 CEST	30261	23	192.168.2.23	121.34.81.173
May 14, 2022 03:55:49.384618044 CEST	30261	23	192.168.2.23	203.58.137.169
May 14, 2022 03:55:49.384618998 CEST	30261	23	192.168.2.23	116.224.119.116
May 14, 2022 03:55:49.384623051 CEST	30261	23	192.168.2.23	174.232.112.218
May 14, 2022 03:55:49.384632111 CEST	30261	23	192.168.2.23	18.1.223.36
May 14, 2022 03:55:49.384639978 CEST	30261	23	192.168.2.23	181.219.238.195
May 14, 2022 03:55:49.384648085 CEST	30261	23	192.168.2.23	216.83.77.238
May 14, 2022 03:55:49.384653091 CEST	30261	23	192.168.2.23	61.206.101.69
May 14, 2022 03:55:49.384684086 CEST	30261	23	192.168.2.23	66.139.13.92
May 14, 2022 03:55:49.384699106 CEST	30261	23	192.168.2.23	165.37.167.98
May 14, 2022 03:55:49.384727955 CEST	30261	23	192.168.2.23	70.191.73.229
May 14, 2022 03:55:49.384727955 CEST	30261	23	192.168.2.23	97.115.61.119
May 14, 2022 03:55:49.384835958 CEST	30261	23	192.168.2.23	31.116.247.118
May 14, 2022 03:55:49.384836912 CEST	30261	23	192.168.2.23	243.133.231.121
May 14, 2022 03:55:49.384840012 CEST	30261	23	192.168.2.23	182.245.91.15
May 14, 2022 03:55:49.384840012 CEST	30261	23	192.168.2.23	80.121.19.73
May 14, 2022 03:55:49.384848118 CEST	30261	23	192.168.2.23	12.243.54.48
May 14, 2022 03:55:49.384855032 CEST	30261	23	192.168.2.23	9.9.183.108
May 14, 2022 03:55:49.384855032 CEST	30261	23	192.168.2.23	161.8.238.184
May 14, 2022 03:55:49.384861946 CEST	30261	23	192.168.2.23	195.181.100.162
May 14, 2022 03:55:49.384864092 CEST	30261	23	192.168.2.23	154.80.212.12
May 14, 2022 03:55:49.384869099 CEST	30261	23	192.168.2.23	212.247.129.217
May 14, 2022 03:55:49.384870052 CEST	30261	23	192.168.2.23	181.115.42.212
May 14, 2022 03:55:49.384871960 CEST	30261	23	192.168.2.23	78.150.216.166
May 14, 2022 03:55:49.384876013 CEST	30261	23	192.168.2.23	170.56.3.32
May 14, 2022 03:55:49.384877920 CEST	30261	23	192.168.2.23	158.210.77.95
May 14, 2022 03:55:49.384891987 CEST	30261	23	192.168.2.23	216.110.104.170
May 14, 2022 03:55:49.384896994 CEST	30261	23	192.168.2.23	92.63.161.241
May 14, 2022 03:55:49.384900093 CEST	30261	23	192.168.2.23	217.28.32.154
May 14, 2022 03:55:49.384905100 CEST	30261	23	192.168.2.23	13.50.2.79
May 14, 2022 03:55:49.384907007 CEST	30261	23	192.168.2.23	108.40.126.154
May 14, 2022 03:55:49.384922028 CEST	30261	23	192.168.2.23	170.238.157.7
May 14, 2022 03:55:49.384923935 CEST	30261	23	192.168.2.23	142.146.34.59
May 14, 2022 03:55:49.384936094 CEST	30261	23	192.168.2.23	82.219.223.83
May 14, 2022 03:55:49.384943962 CEST	30261	23	192.168.2.23	36.17.220.139
May 14, 2022 03:55:49.384963989 CEST	30261	23	192.168.2.23	243.201.95.135
May 14, 2022 03:55:49.385060072 CEST	30261	23	192.168.2.23	58.73.105.72
May 14, 2022 03:55:49.385061026 CEST	30261	23	192.168.2.23	176.73.172.67
May 14, 2022 03:55:49.385061026 CEST	30261	23	192.168.2.23	97.3.204.167
May 14, 2022 03:55:49.385065079 CEST	30261	23	192.168.2.23	156.30.38.63
May 14, 2022 03:55:49.385065079 CEST	30261	23	192.168.2.23	188.84.65.70
May 14, 2022 03:55:49.385082960 CEST	30261	23	192.168.2.23	191.203.28.73
May 14, 2022 03:55:49.385099888 CEST	30261	23	192.168.2.23	9.97.233.61
May 14, 2022 03:55:49.385102987 CEST	30261	23	192.168.2.23	46.248.202.51
May 14, 2022 03:55:49.385122061 CEST	30261	23	192.168.2.23	64.18.88.29
May 14, 2022 03:55:49.385135889 CEST	30261	23	192.168.2.23	116.112.127.217
May 14, 2022 03:55:49.385139942 CEST	30261	23	192.168.2.23	216.239.108.193
May 14, 2022 03:55:49.385154963 CEST	30261	23	192.168.2.23	78.58.214.17
May 14, 2022 03:55:49.385159016 CEST	30261	23	192.168.2.23	156.195.100.114
May 14, 2022 03:55:49.385324001 CEST	30261	23	192.168.2.23	196.198.238.193
May 14, 2022 03:55:49.385324955 CEST	30261	23	192.168.2.23	82.235.89.94
May 14, 2022 03:55:49.385328054 CEST	30261	23	192.168.2.23	133.183.191.30
May 14, 2022 03:55:49.385333061 CEST	30261	23	192.168.2.23	184.29.47.110
May 14, 2022 03:55:49.385338068 CEST	30261	23	192.168.2.23	187.133.63.170
May 14, 2022 03:55:49.385348082 CEST	30261	23	192.168.2.23	157.200.143.117
May 14, 2022 03:55:49.385350943 CEST	30261	23	192.168.2.23	182.12.86.50
May 14, 2022 03:55:49.385353088 CEST	30261	23	192.168.2.23	247.58.131.207
May 14, 2022 03:55:49.385355949 CEST	30261	23	192.168.2.23	67.254.69.42
May 14, 2022 03:55:49.385363102 CEST	30261	23	192.168.2.23	246.60.233.40
May 14, 2022 03:55:49.385370016 CEST	30261	23	192.168.2.23	221.232.178.100
May 14, 2022 03:55:49.385377884 CEST	30261	23	192.168.2.23	252.80.248.113
May 14, 2022 03:55:49.385377884 CEST	30261	23	192.168.2.23	16.1.222.115
May 14, 2022 03:55:49.385380030 CEST	30261	23	192.168.2.23	167.193.52.36
May 14, 2022 03:55:49.385385036 CEST	30261	23	192.168.2.23	192.205.237.146

System Behavior

Analysis Process: gMILf8mqrF PID: 6230, Parent PID: 6132

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	/tmp/gMILf8mqrF
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6232, Parent PID: 6230

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6233, Parent PID: 6230

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6234, Parent PID: 6230

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6238, Parent PID: 6234

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6336, Parent PID: 6238

General

Start time:	03:58:55
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6338, Parent PID: 6238

General

Start time:	03:58:55
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6239, Parent PID: 6234

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Analysis Process: gMILf8mqrF PID: 6240, Parent PID: 6234

General

Start time:	03:55:48
Start date:	14/05/2022
Path:	/tmp/gMILf8mqrF
Arguments:	n/a
File size:	4139976 bytes
MD5 hash:	8943e5f8f8c280467b4472c15ae93ba9

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report gMILf8mqrF

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: gMILf8mqrF PID: 6230, Parent PID: 6132

General

Analysis Process: gMILf8mqrF PID: 6232, Parent PID: 6230

General

Analysis Process: gMILf8mqrF PID: 6233, Parent PID: 6230

General

Analysis Process: gMILf8mqrF PID: 6234, Parent PID: 6230

General

Analysis Process: gMILf8mqrF PID: 6238, Parent PID: 6234

General

Analysis Process: gMILf8mqrF PID: 6336, Parent PID: 6238

General

Analysis Process: gMILf8mqrF PID: 6338, Parent PID: 6238

General

Analysis Process: gMILf8mqrF PID: 6239, Parent PID: 6234

General

Analysis Process: gMILf8mqrF PID: 6240, Parent PID: 6234

General

Linux Analysis Report
gMILf8mqrF