Edit tour

Linux Analysis Report
0vFX7VXc9U

Overview

General Information

Sample Name:	0vFX7VXc9U
Analysis ID:	626466
MD5:	5d6cccddcb88cb4daefbc964e23de098
SHA1:	18e29b4aaad7d49a2b2adba64387494c6590c8dc
SHA256:	1dfc810854844288a6f5c6b1e8dc25059bcff19c5585773956e568eaa4794970
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill multiple processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626466
Start date and time: 14/05/202204:00:30	2022-05-14 04:00:30 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	0vFX7VXc9U
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.spre.troj.evad.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/0vFX7VXc9U
PID:	6229
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

0vFX7VXc9U (PID: 6229, Parent: 6122, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/0vFX7VXc9U

0vFX7VXc9U New Fork (PID: 6231, Parent: 6229)

0vFX7VXc9U New Fork (PID: 6233, Parent: 6229)

0vFX7VXc9U New Fork (PID: 6235, Parent: 6229)

0vFX7VXc9U New Fork (PID: 6237, Parent: 6235)

0vFX7VXc9U New Fork (PID: 6239, Parent: 6235)

0vFX7VXc9U New Fork (PID: 6240, Parent: 6235)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 0vFX7VXc9U

Virustotal: Detection: 40%

Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54616
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54632
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54640
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54648
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54650
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54656

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Source: /tmp/0vFX7VXc9U (PID: 6231)	Socket: 0.0.0.0::0
Source: /tmp/0vFX7VXc9U (PID: 6231)	Socket: 0.0.0.0::53413
Source: /tmp/0vFX7VXc9U (PID: 6231)	Socket: 0.0.0.0::80
Source: /tmp/0vFX7VXc9U (PID: 6231)	Socket: 0.0.0.0::37215
Source: /tmp/0vFX7VXc9U (PID: 6237)	Socket: 0.0.0.0::0
Source: /tmp/0vFX7VXc9U (PID: 6237)	Socket: 0.0.0.0::53413
Source: /tmp/0vFX7VXc9U (PID: 6237)	Socket: 0.0.0.0::80
Source: /tmp/0vFX7VXc9U (PID: 6237)	Socket: 0.0.0.0::37215

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 75.153.213.149
Source: unknown	TCP traffic detected without corresponding DNS query: 44.100.148.162
Source: unknown	TCP traffic detected without corresponding DNS query: 153.161.78.149
Source: unknown	TCP traffic detected without corresponding DNS query: 124.122.52.227
Source: unknown	TCP traffic detected without corresponding DNS query: 200.20.122.95
Source: unknown	TCP traffic detected without corresponding DNS query: 209.74.247.155
Source: unknown	TCP traffic detected without corresponding DNS query: 174.71.198.101
Source: unknown	TCP traffic detected without corresponding DNS query: 117.236.55.110
Source: unknown	TCP traffic detected without corresponding DNS query: 37.106.71.233
Source: unknown	TCP traffic detected without corresponding DNS query: 222.47.177.148
Source: unknown	TCP traffic detected without corresponding DNS query: 125.144.106.185
Source: unknown	TCP traffic detected without corresponding DNS query: 206.15.179.149
Source: unknown	TCP traffic detected without corresponding DNS query: 254.27.202.193
Source: unknown	TCP traffic detected without corresponding DNS query: 201.103.134.232
Source: unknown	TCP traffic detected without corresponding DNS query: 219.78.219.232
Source: unknown	TCP traffic detected without corresponding DNS query: 67.141.187.33
Source: unknown	TCP traffic detected without corresponding DNS query: 104.195.123.176
Source: unknown	TCP traffic detected without corresponding DNS query: 120.108.63.223
Source: unknown	TCP traffic detected without corresponding DNS query: 48.186.3.119
Source: unknown	TCP traffic detected without corresponding DNS query: 80.133.177.198
Source: unknown	TCP traffic detected without corresponding DNS query: 182.248.186.183
Source: unknown	TCP traffic detected without corresponding DNS query: 71.218.165.185
Source: unknown	TCP traffic detected without corresponding DNS query: 179.129.198.114
Source: unknown	TCP traffic detected without corresponding DNS query: 59.240.120.127
Source: unknown	TCP traffic detected without corresponding DNS query: 67.6.248.156
Source: unknown	TCP traffic detected without corresponding DNS query: 171.64.241.180
Source: unknown	TCP traffic detected without corresponding DNS query: 75.151.87.145
Source: unknown	TCP traffic detected without corresponding DNS query: 196.183.155.18
Source: unknown	TCP traffic detected without corresponding DNS query: 193.188.234.47
Source: unknown	TCP traffic detected without corresponding DNS query: 185.135.188.9
Source: unknown	TCP traffic detected without corresponding DNS query: 179.213.133.164
Source: unknown	TCP traffic detected without corresponding DNS query: 179.242.15.168
Source: unknown	TCP traffic detected without corresponding DNS query: 198.16.2.230
Source: unknown	TCP traffic detected without corresponding DNS query: 191.27.73.58
Source: unknown	TCP traffic detected without corresponding DNS query: 41.235.202.130
Source: unknown	TCP traffic detected without corresponding DNS query: 58.241.84.58
Source: unknown	TCP traffic detected without corresponding DNS query: 169.228.22.89
Source: unknown	TCP traffic detected without corresponding DNS query: 79.197.67.24
Source: unknown	TCP traffic detected without corresponding DNS query: 32.171.233.252
Source: unknown	TCP traffic detected without corresponding DNS query: 53.169.86.102
Source: unknown	TCP traffic detected without corresponding DNS query: 149.13.99.100
Source: unknown	TCP traffic detected without corresponding DNS query: 115.192.179.28
Source: unknown	TCP traffic detected without corresponding DNS query: 255.194.67.22
Source: unknown	TCP traffic detected without corresponding DNS query: 220.114.89.247
Source: unknown	TCP traffic detected without corresponding DNS query: 213.233.2.165
Source: unknown	TCP traffic detected without corresponding DNS query: 32.215.205.156
Source: unknown	TCP traffic detected without corresponding DNS query: 106.217.38.243
Source: unknown	TCP traffic detected without corresponding DNS query: 213.149.54.237

Source: 0vFX7VXc9U

String found in binary or memory: http://upx.sf.net

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/0vFX7VXc9U (PID: 6231)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 6231, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2208, result: successful

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/0vFX7VXc9U (PID: 6231)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 6231, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 847, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1860, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2097, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2180, result: successful
Source: /tmp/0vFX7VXc9U (PID: 6237)	SIGKILL sent: pid: 2208, result: successful

Source: classification engine

Classification label: mal68.spre.troj.evad.lin@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/491/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/793/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/772/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/796/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/774/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/797/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/777/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/799/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/658/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/912/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/759/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/936/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/918/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/1/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/761/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/785/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/884/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/720/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/721/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/788/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/789/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/800/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/801/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/847/fd
Source: /tmp/0vFX7VXc9U (PID: 6231)	File opened: /proc/904/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/6231/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2033/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2033/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1582/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1582/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2275/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1612/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1612/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1579/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1579/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1699/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1699/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1335/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1335/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1698/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1698/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2028/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2028/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1334/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1334/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1576/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1576/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2302/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/3236/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2025/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2025/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2146/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2146/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/910/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/912/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/912/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/912/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/759/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/759/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/759/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/517/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2307/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/918/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/918/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/918/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1594/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1594/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2285/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2281/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1349/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1349/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1623/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1623/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/761/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/761/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/761/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1622/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1622/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/884/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/884/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/884/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1983/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1983/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2038/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2038/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1586/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1586/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1465/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1465/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1344/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1344/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1860/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1860/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1463/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/1463/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2156/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/2156/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/800/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/800/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/800/exe
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/801/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/801/fd
Source: /tmp/0vFX7VXc9U (PID: 6237)	File opened: /proc/801/exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54616
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54622
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54632
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54640
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54648
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54650
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54656

Source: /tmp/0vFX7VXc9U (PID: 6229)

Queries kernel information via 'uname':

Source: 0vFX7VXc9U, 6229.1.00000000631ea211.00000000c91328e8.rw-.sdmp, 0vFX7VXc9U, 6231.1.00000000631ea211.00000000c91328e8.rw-.sdmp, 0vFX7VXc9U, 6233.1.00000000631ea211.00000000c91328e8.rw-.sdmp, 0vFX7VXc9U, 6239.1.00000000631ea211.00000000c91328e8.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: 0vFX7VXc9U, 6229.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp, 0vFX7VXc9U, 6231.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp, 0vFX7VXc9U, 6233.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp, 0vFX7VXc9U, 6239.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/0vFX7VXc9USUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/0vFX7VXc9U
Source: 0vFX7VXc9U, 6229.1.00000000631ea211.00000000c91328e8.rw-.sdmp, 0vFX7VXc9U, 6231.1.00000000631ea211.00000000c91328e8.rw-.sdmp, 0vFX7VXc9U, 6233.1.00000000631ea211.00000000c91328e8.rw-.sdmp, 0vFX7VXc9U, 6239.1.00000000631ea211.00000000c91328e8.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 0vFX7VXc9U, 6229.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp, 0vFX7VXc9U, 6231.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp, 0vFX7VXc9U, 6233.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp, 0vFX7VXc9U, 6239.1.0000000037e28d0d.00000000d1298c36.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Service Stop
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0vFX7VXc9U	40%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	0vFX7VXc9U	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.199.38.171	unknown	United States	11363	FUJITSU-USAUS	false
126.210.129.155	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
193.197.13.107	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
38.162.241.46	unknown	United States	174	COGENT-174US	false
158.34.190.148	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
17.68.111.77	unknown	United States	714	APPLE-ENGINEERINGUS	false
202.211.43.114	unknown	Japan	23637	BI-CDN-IXEquinixJpapanEnterpriseKKJP	false
58.49.78.189	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
187.44.116.221	unknown	Brazil	28303	UNASSIGNED	false
167.194.166.140	unknown	United States	2897	GEORGIA-1US	false
155.103.234.205	unknown	United States	17055	UTAHUS	false
117.20.6.89	unknown	Australia	45671	AS45671-NET-AUWholesaleServicesProviderAU	false
123.123.10.10	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
211.215.142.151	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
184.183.128.14	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
27.91.141.132	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
191.69.208.120	unknown	Colombia	26611	COMCELSACO	false
179.181.230.189	unknown	Brazil	18881	TELEFONICABRASILSABR	false
106.178.36.12	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
79.212.37.114	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
242.191.215.50	unknown	Reserved	unknown	unknown	false
173.159.96.56	unknown	United States	10507	SPCSUS	false
192.70.114.91	unknown	France	2200	FR-RENATERReseauNationaldetelecommunicationspourlaTec	false
188.65.30.16	unknown	Oman	15679	CISOM	false
252.233.33.84	unknown	Reserved	unknown	unknown	false
155.174.155.129	unknown	United States	797	AMERITECH-ASUS	false
190.87.78.146	unknown	El Salvador	14754	TelguaGT	false
18.132.24.3	unknown	United States	16509	AMAZON-02US	false
112.135.85.14	unknown	Sri Lanka	9329	SLTINT-AS-APSriLankaTelecomInternetLK	false
122.238.160.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
63.222.211.96	unknown	United States	3491	BTN-ASNUS	false
47.111.235.144	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
60.78.199.133	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
113.151.235.184	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
210.151.10.111	unknown	Japan	4725	ODNSoftBankMobileCorpJP	false
67.150.211.85	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
221.161.108.168	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
172.127.100.178	unknown	United States	7018	ATT-INTERNET4US	false
241.170.151.161	unknown	Reserved	unknown	unknown	false
209.221.88.255	unknown	Canada	17054	AS17054US	false
255.103.13.193	unknown	Reserved	unknown	unknown	false
216.46.11.151	unknown	Canada	11478	OPENFACECA	false
189.197.247.189	unknown	Mexico	13999	MegaCableSAdeCVMX	false
145.245.19.10	unknown	Switzerland	2047	ASN-ROCHE-BASLEGlobalcorporateIPnetworkCH	false
57.62.76.32	unknown	Belgium	2686	ATGS-MMD-ASUS	false
202.231.94.147	unknown	Japan	2519	VECTANTARTERIANetworksCorporationJP	false
135.166.174.163	unknown	United States	14962	NCR-252US	false
165.26.68.176	unknown	United States	14381	CATERPILLAR-INCUS	false
147.147.16.159	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	false
4.138.164.110	unknown	United States	3356	LEVEL3US	false
34.38.58.196	unknown	United States	2686	ATGS-MMD-ASUS	false
84.239.71.93	unknown	France	20926	PULSATION-ASFR	false
152.47.196.81	unknown	United States	81	NCRENUS	false
188.103.181.52	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
85.186.170.195	unknown	Romania	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
34.66.240.213	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
20.151.130.134	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
177.167.27.22	unknown	Brazil	26615	TIMSABR	false
247.149.253.146	unknown	Reserved	unknown	unknown	false
243.95.58.195	unknown	Reserved	unknown	unknown	false
5.19.186.80	unknown	Russian Federation	41733	ZTELECOM-ASRU	false
62.8.167.45	unknown	Germany	20676	PLUSNETDE	false
68.40.94.171	unknown	United States	7922	COMCAST-7922US	false
176.67.2.141	unknown	Ukraine	25133	MCLAUT-ASUA	false
110.3.119.105	unknown	Japan	10013	FBDCFreeBitCoLtdJP	false
24.232.201.65	unknown	Argentina	10318	TelecomArgentinaSAAR	false
24.237.4.6	unknown	United States	8047	GCIUS	false
58.253.21.183	unknown	China	17622	CNCGROUP-GZChinaUnicomGuangzhounetworkCN	false
212.214.203.146	unknown	Sweden	3246	TDCSONGTele2BusinessTDCSwedenSE	false
47.19.240.28	unknown	United States	6128	CABLE-NET-1US	false
79.94.237.131	unknown	France	15557	LDCOMNETFR	false
12.170.33.63	unknown	United States	7018	ATT-INTERNET4US	false
35.115.167.133	unknown	United States	237	MERIT-AS-14US	false
40.131.167.165	unknown	United States	7029	WINDSTREAMUS	false
168.223.68.65	unknown	United States	7202	FAMUUS	false
251.241.122.248	unknown	Reserved	unknown	unknown	false
188.102.19.180	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
121.137.248.232	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
5.40.190.26	unknown	Spain	43160	ES-MDC-DATACENTERMalagaDataCenterES	false
92.175.5.148	unknown	France	3215	FranceTelecom-OrangeFR	false
201.188.216.73	unknown	Chile	7418	TELEFONICACHILESACL	false
120.168.146.194	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
242.205.249.210	unknown	Reserved	unknown	unknown	false
129.3.73.40	unknown	United States	14433	SUNY-OSWEGO-ASNUS	false
135.251.35.234	unknown	United States	10455	LUCENT-CIOUS	false
192.89.10.120	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
250.57.212.23	unknown	Reserved	unknown	unknown	false
36.118.159.83	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
24.69.73.98	unknown	Canada	6327	SHAWCA	false
117.53.253.20	unknown	Korea Republic of	9770	SPEEDONSTV-AS-KRLGHelloVisionCorpKR	false
253.198.199.189	unknown	Reserved	unknown	unknown	false
113.35.47.165	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
31.53.204.8	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
194.223.115.79	unknown	United Kingdom	138384	RMNI-AS-APRakutenMobileNetworkIncJP	false
254.55.175.61	unknown	Reserved	unknown	unknown	false
186.112.241.175	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
202.137.122.48	unknown	Philippines	38553	DCTECHDVO-AS-APInternetServiceProviderandDataCenterP	false
119.109.212.116	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
45.25.50.42	unknown	United States	7018	ATT-INTERNET4US	false
99.11.105.169	unknown	United States	7018	ATT-INTERNET4US	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	7.929417373612622
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	0vFX7VXc9U
File size:	25004
MD5:	5d6cccddcb88cb4daefbc964e23de098
SHA1:	18e29b4aaad7d49a2b2adba64387494c6590c8dc
SHA256:	1dfc810854844288a6f5c6b1e8dc25059bcff19c5585773956e568eaa4794970
SHA512:	1847514de3f1c5940ffead1621460b99b793b3f80550397985e8ac6672cafa5950e5bcaf9a66d605b5847052183cf934a1cc5e7ef1bb1d1ad0aa71d11abf793e
SSDEEP:	768:5X9nxn8o9wnBoWzEQf2EjKb3pOIs3UozH:5tn+o9wjfBAZO9zH
TLSH:	21B2D0727015F8B7C7E600B76AEDCA83FA800EF8D0E8B3291465099DE9D4846BBF1547
File Content Preview:	.ELF...a..........(.........4...........4. ...(......................`...`...............^..........................Q.td..............................CvUPX!........0...0.......R..........?.E.h;.}...^..........f.Z.6..(fw....&.x:.E.......oe.`.S..T.......n..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0xcf10
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x60bf	0x60bf	4.0486	0x5	R E	0x8000
LOAD	0x5ee0	0x1dee0	0x1dee0	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 04:06:47.165482044 CEST	42836	443	192.168.2.23	91.189.91.43
May 14, 2022 04:06:47.622730970 CEST	60988	1312	192.168.2.23	107.172.197.117
May 14, 2022 04:06:47.649099112 CEST	32443	23	192.168.2.23	75.153.213.149
May 14, 2022 04:06:47.649204016 CEST	32443	23	192.168.2.23	44.100.148.162
May 14, 2022 04:06:47.649205923 CEST	32443	23	192.168.2.23	153.161.78.149
May 14, 2022 04:06:47.649209023 CEST	32443	23	192.168.2.23	124.122.52.227
May 14, 2022 04:06:47.649218082 CEST	32443	23	192.168.2.23	200.20.122.95
May 14, 2022 04:06:47.649226904 CEST	32443	23	192.168.2.23	209.74.247.155
May 14, 2022 04:06:47.649228096 CEST	32443	23	192.168.2.23	174.71.198.101
May 14, 2022 04:06:47.649244070 CEST	32443	23	192.168.2.23	117.236.55.110
May 14, 2022 04:06:47.649250984 CEST	32443	23	192.168.2.23	37.106.71.233
May 14, 2022 04:06:47.649257898 CEST	32443	23	192.168.2.23	222.47.177.148
May 14, 2022 04:06:47.649274111 CEST	32443	23	192.168.2.23	125.144.106.185
May 14, 2022 04:06:47.649287939 CEST	32443	23	192.168.2.23	206.15.179.149
May 14, 2022 04:06:47.649288893 CEST	32443	23	192.168.2.23	254.27.202.193
May 14, 2022 04:06:47.649317980 CEST	32443	23	192.168.2.23	201.103.134.232
May 14, 2022 04:06:47.649319887 CEST	32443	23	192.168.2.23	219.78.219.232
May 14, 2022 04:06:47.649323940 CEST	32443	23	192.168.2.23	67.141.187.33
May 14, 2022 04:06:47.649323940 CEST	32443	23	192.168.2.23	104.195.123.176
May 14, 2022 04:06:47.649332047 CEST	32443	23	192.168.2.23	120.108.63.223
May 14, 2022 04:06:47.649334908 CEST	32443	23	192.168.2.23	48.186.3.119
May 14, 2022 04:06:47.649338961 CEST	32443	23	192.168.2.23	80.133.177.198
May 14, 2022 04:06:47.649342060 CEST	32443	23	192.168.2.23	182.248.186.183
May 14, 2022 04:06:47.649362087 CEST	32443	23	192.168.2.23	186.227.10.184
May 14, 2022 04:06:47.649370909 CEST	32443	23	192.168.2.23	71.218.165.185
May 14, 2022 04:06:47.649377108 CEST	32443	23	192.168.2.23	179.129.198.114
May 14, 2022 04:06:47.649382114 CEST	32443	23	192.168.2.23	59.240.120.127
May 14, 2022 04:06:47.649391890 CEST	32443	23	192.168.2.23	67.6.248.156
May 14, 2022 04:06:47.649409056 CEST	32443	23	192.168.2.23	171.64.241.180
May 14, 2022 04:06:47.649411917 CEST	32443	23	192.168.2.23	75.151.87.145
May 14, 2022 04:06:47.649434090 CEST	32443	23	192.168.2.23	196.183.155.18
May 14, 2022 04:06:47.649451971 CEST	32443	23	192.168.2.23	193.188.234.47
May 14, 2022 04:06:47.649458885 CEST	32443	23	192.168.2.23	185.135.188.9
May 14, 2022 04:06:47.649461031 CEST	32443	23	192.168.2.23	179.213.133.164
May 14, 2022 04:06:47.649472952 CEST	32443	23	192.168.2.23	179.242.15.168
May 14, 2022 04:06:47.649477959 CEST	32443	23	192.168.2.23	198.16.2.230
May 14, 2022 04:06:47.649487972 CEST	32443	23	192.168.2.23	191.27.73.58
May 14, 2022 04:06:47.649494886 CEST	32443	23	192.168.2.23	41.235.202.130
May 14, 2022 04:06:47.649497032 CEST	32443	23	192.168.2.23	58.241.84.58
May 14, 2022 04:06:47.649513006 CEST	32443	23	192.168.2.23	169.228.22.89
May 14, 2022 04:06:47.649522066 CEST	32443	23	192.168.2.23	79.197.67.24
May 14, 2022 04:06:47.649528980 CEST	32443	23	192.168.2.23	32.171.233.252
May 14, 2022 04:06:47.649547100 CEST	32443	23	192.168.2.23	53.169.86.102
May 14, 2022 04:06:47.649557114 CEST	32443	23	192.168.2.23	149.13.99.100
May 14, 2022 04:06:47.649566889 CEST	32443	23	192.168.2.23	115.192.179.28
May 14, 2022 04:06:47.649574995 CEST	32443	23	192.168.2.23	255.194.67.22
May 14, 2022 04:06:47.649579048 CEST	32443	23	192.168.2.23	220.114.89.247
May 14, 2022 04:06:47.649579048 CEST	32443	23	192.168.2.23	213.233.2.165
May 14, 2022 04:06:47.649590969 CEST	32443	23	192.168.2.23	32.215.205.156
May 14, 2022 04:06:47.649606943 CEST	32443	23	192.168.2.23	106.217.38.243
May 14, 2022 04:06:47.649625063 CEST	32443	23	192.168.2.23	213.149.54.237
May 14, 2022 04:06:47.649646044 CEST	32443	23	192.168.2.23	136.152.202.182
May 14, 2022 04:06:47.649662971 CEST	32443	23	192.168.2.23	246.41.209.242
May 14, 2022 04:06:47.649665117 CEST	32443	23	192.168.2.23	216.206.132.166
May 14, 2022 04:06:47.649671078 CEST	32443	23	192.168.2.23	93.145.222.200
May 14, 2022 04:06:47.649676085 CEST	32443	23	192.168.2.23	43.189.64.76
May 14, 2022 04:06:47.649687052 CEST	32443	23	192.168.2.23	152.140.126.31
May 14, 2022 04:06:47.649701118 CEST	32443	23	192.168.2.23	242.147.110.117
May 14, 2022 04:06:47.649705887 CEST	32443	23	192.168.2.23	63.169.226.62
May 14, 2022 04:06:47.649707079 CEST	32443	23	192.168.2.23	120.186.49.8
May 14, 2022 04:06:47.649719954 CEST	32443	23	192.168.2.23	76.1.90.95
May 14, 2022 04:06:47.649734020 CEST	32443	23	192.168.2.23	101.16.255.230
May 14, 2022 04:06:47.649734974 CEST	32443	23	192.168.2.23	180.241.64.96
May 14, 2022 04:06:47.649745941 CEST	32443	23	192.168.2.23	196.130.242.76
May 14, 2022 04:06:47.649779081 CEST	32443	23	192.168.2.23	87.219.35.54
May 14, 2022 04:06:47.649797916 CEST	32443	23	192.168.2.23	243.248.0.5
May 14, 2022 04:06:47.649808884 CEST	32443	23	192.168.2.23	206.96.219.213
May 14, 2022 04:06:47.649820089 CEST	32443	23	192.168.2.23	204.48.209.151
May 14, 2022 04:06:47.649836063 CEST	32443	23	192.168.2.23	177.49.126.125
May 14, 2022 04:06:47.649842024 CEST	32443	23	192.168.2.23	120.57.198.94
May 14, 2022 04:06:47.649852991 CEST	32443	23	192.168.2.23	96.86.42.255
May 14, 2022 04:06:47.649867058 CEST	32443	23	192.168.2.23	78.244.164.235
May 14, 2022 04:06:47.649871111 CEST	32443	23	192.168.2.23	196.124.245.95
May 14, 2022 04:06:47.649884939 CEST	32443	23	192.168.2.23	111.4.207.39
May 14, 2022 04:06:47.649898052 CEST	32443	23	192.168.2.23	74.5.123.44
May 14, 2022 04:06:47.649899006 CEST	32443	23	192.168.2.23	204.229.212.180
May 14, 2022 04:06:47.649910927 CEST	32443	23	192.168.2.23	14.173.89.122
May 14, 2022 04:06:47.653451920 CEST	32443	23	192.168.2.23	52.255.19.210
May 14, 2022 04:06:47.653487921 CEST	32443	23	192.168.2.23	81.110.79.148
May 14, 2022 04:06:47.653500080 CEST	32443	23	192.168.2.23	92.173.20.82
May 14, 2022 04:06:47.653507948 CEST	32443	23	192.168.2.23	205.150.211.112
May 14, 2022 04:06:47.653526068 CEST	32443	23	192.168.2.23	112.132.129.238
May 14, 2022 04:06:47.653527021 CEST	32443	23	192.168.2.23	73.223.213.175
May 14, 2022 04:06:47.653544903 CEST	32443	23	192.168.2.23	79.54.60.235
May 14, 2022 04:06:47.653553009 CEST	32443	23	192.168.2.23	154.21.85.34
May 14, 2022 04:06:47.653559923 CEST	32443	23	192.168.2.23	171.26.120.57
May 14, 2022 04:06:47.653568983 CEST	32443	23	192.168.2.23	194.49.84.7
May 14, 2022 04:06:47.653590918 CEST	32443	23	192.168.2.23	175.172.90.242
May 14, 2022 04:06:47.653592110 CEST	32443	23	192.168.2.23	32.127.243.128
May 14, 2022 04:06:47.653594971 CEST	32443	23	192.168.2.23	170.17.160.193
May 14, 2022 04:06:47.653599024 CEST	32443	23	192.168.2.23	217.254.86.172
May 14, 2022 04:06:47.653610945 CEST	32443	23	192.168.2.23	208.29.163.165
May 14, 2022 04:06:47.653611898 CEST	32443	23	192.168.2.23	42.179.104.4
May 14, 2022 04:06:47.653620958 CEST	32443	23	192.168.2.23	125.107.88.197
May 14, 2022 04:06:47.653635025 CEST	32443	23	192.168.2.23	130.239.118.166
May 14, 2022 04:06:47.653636932 CEST	32443	23	192.168.2.23	254.240.91.4
May 14, 2022 04:06:47.653655052 CEST	32443	23	192.168.2.23	117.142.14.183
May 14, 2022 04:06:47.653661013 CEST	32443	23	192.168.2.23	205.133.77.82
May 14, 2022 04:06:47.653671026 CEST	32443	23	192.168.2.23	155.50.19.164
May 14, 2022 04:06:47.653682947 CEST	32443	23	192.168.2.23	82.24.191.155

System Behavior

Analysis Process: 0vFX7VXc9U PID: 6229, Parent PID: 6122

General

Start time:	04:06:46
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	/tmp/0vFX7VXc9U
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: 0vFX7VXc9U PID: 6231, Parent PID: 6229

General

Start time:	04:06:47
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: 0vFX7VXc9U PID: 6233, Parent PID: 6229

General

Start time:	04:06:47
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: 0vFX7VXc9U PID: 6235, Parent PID: 6229

General

Start time:	04:06:47
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: 0vFX7VXc9U PID: 6237, Parent PID: 6235

General

Start time:	04:06:47
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: 0vFX7VXc9U PID: 6239, Parent PID: 6235

General

Start time:	04:06:47
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: 0vFX7VXc9U PID: 6240, Parent PID: 6235

General

Start time:	04:06:47
Start date:	14/05/2022
Path:	/tmp/0vFX7VXc9U
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 0vFX7VXc9U

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: 0vFX7VXc9U PID: 6229, Parent PID: 6122

General

Analysis Process: 0vFX7VXc9U PID: 6231, Parent PID: 6229

General

Analysis Process: 0vFX7VXc9U PID: 6233, Parent PID: 6229

General

Analysis Process: 0vFX7VXc9U PID: 6235, Parent PID: 6229

General

Analysis Process: 0vFX7VXc9U PID: 6237, Parent PID: 6235

General

Analysis Process: 0vFX7VXc9U PID: 6239, Parent PID: 6235

General

Analysis Process: 0vFX7VXc9U PID: 6240, Parent PID: 6235

General

Linux Analysis Report
0vFX7VXc9U