Edit tour

Linux Analysis Report
csqe8VS0YI

Overview

General Information

Sample Name:	csqe8VS0YI
Analysis ID:	626473
MD5:	beae05ed2e1e2189d5f44fe5fe95111a
SHA1:	ad4d569675210467533e6093f3b13f805c860a28
SHA256:	a5cb465d21d9171b83bbbb658bbea9c875e421e37603f5e576c6387570fed6c6
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626473
Start date and time: 14/05/202204:14:29	2022-05-14 04:14:29 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	csqe8VS0YI
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal60.troj.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/csqe8VS0YI
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

csqe8VS0YI (PID: 6230, Parent: 6123, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/csqe8VS0YI

csqe8VS0YI New Fork (PID: 6232, Parent: 6230)

csqe8VS0YI New Fork (PID: 6329, Parent: 6232)

csqe8VS0YI New Fork (PID: 6331, Parent: 6232)

csqe8VS0YI New Fork (PID: 6333, Parent: 6331)

csqe8VS0YI New Fork (PID: 6347, Parent: 6333)

csqe8VS0YI New Fork (PID: 6349, Parent: 6333)

csqe8VS0YI New Fork (PID: 6335, Parent: 6331)

csqe8VS0YI New Fork (PID: 6336, Parent: 6331)

csqe8VS0YI New Fork (PID: 6233, Parent: 6230)

csqe8VS0YI New Fork (PID: 6235, Parent: 6230)

csqe8VS0YI New Fork (PID: 6238, Parent: 6235)

csqe8VS0YI New Fork (PID: 6340, Parent: 6238)

csqe8VS0YI New Fork (PID: 6341, Parent: 6238)

csqe8VS0YI New Fork (PID: 6239, Parent: 6235)

csqe8VS0YI New Fork (PID: 6240, Parent: 6235)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: csqe8VS0YI

Virustotal: Detection: 54%

Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58834
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58842
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58844
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58858
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58864
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58868
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58870
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58874
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36094
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36098
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36104
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36108
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46756
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37450
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37456
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37464
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37484
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37510
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37532
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50030

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Source: /tmp/csqe8VS0YI (PID: 6232)	Socket: 0.0.0.0::0
Source: /tmp/csqe8VS0YI (PID: 6238)	Socket: 0.0.0.0::0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 13.0.164.21
Source: unknown	TCP traffic detected without corresponding DNS query: 109.74.44.219
Source: unknown	TCP traffic detected without corresponding DNS query: 91.146.53.149
Source: unknown	TCP traffic detected without corresponding DNS query: 200.3.132.206
Source: unknown	TCP traffic detected without corresponding DNS query: 40.130.28.180
Source: unknown	TCP traffic detected without corresponding DNS query: 57.50.234.50
Source: unknown	TCP traffic detected without corresponding DNS query: 84.225.48.252
Source: unknown	TCP traffic detected without corresponding DNS query: 87.116.152.152
Source: unknown	TCP traffic detected without corresponding DNS query: 16.40.254.63
Source: unknown	TCP traffic detected without corresponding DNS query: 109.221.53.232
Source: unknown	TCP traffic detected without corresponding DNS query: 125.158.147.235
Source: unknown	TCP traffic detected without corresponding DNS query: 180.235.64.76
Source: unknown	TCP traffic detected without corresponding DNS query: 119.114.96.176
Source: unknown	TCP traffic detected without corresponding DNS query: 254.156.93.201
Source: unknown	TCP traffic detected without corresponding DNS query: 200.12.231.204
Source: unknown	TCP traffic detected without corresponding DNS query: 170.237.5.40
Source: unknown	TCP traffic detected without corresponding DNS query: 20.137.109.105
Source: unknown	TCP traffic detected without corresponding DNS query: 12.150.146.55
Source: unknown	TCP traffic detected without corresponding DNS query: 155.29.204.24
Source: unknown	TCP traffic detected without corresponding DNS query: 188.213.44.241
Source: unknown	TCP traffic detected without corresponding DNS query: 249.23.145.34
Source: unknown	TCP traffic detected without corresponding DNS query: 200.18.228.173
Source: unknown	TCP traffic detected without corresponding DNS query: 75.41.202.169
Source: unknown	TCP traffic detected without corresponding DNS query: 126.105.222.202
Source: unknown	TCP traffic detected without corresponding DNS query: 153.70.148.14
Source: unknown	TCP traffic detected without corresponding DNS query: 23.23.94.132
Source: unknown	TCP traffic detected without corresponding DNS query: 65.213.102.187
Source: unknown	TCP traffic detected without corresponding DNS query: 207.168.78.221
Source: unknown	TCP traffic detected without corresponding DNS query: 48.40.215.16
Source: unknown	TCP traffic detected without corresponding DNS query: 240.52.146.115
Source: unknown	TCP traffic detected without corresponding DNS query: 92.232.247.111
Source: unknown	TCP traffic detected without corresponding DNS query: 196.172.39.72
Source: unknown	TCP traffic detected without corresponding DNS query: 178.149.134.76
Source: unknown	TCP traffic detected without corresponding DNS query: 126.44.231.157
Source: unknown	TCP traffic detected without corresponding DNS query: 141.194.26.246
Source: unknown	TCP traffic detected without corresponding DNS query: 87.78.65.88
Source: unknown	TCP traffic detected without corresponding DNS query: 219.200.159.231
Source: unknown	TCP traffic detected without corresponding DNS query: 170.246.202.65
Source: unknown	TCP traffic detected without corresponding DNS query: 59.36.111.29
Source: unknown	TCP traffic detected without corresponding DNS query: 200.244.143.83
Source: unknown	TCP traffic detected without corresponding DNS query: 216.72.26.76
Source: unknown	TCP traffic detected without corresponding DNS query: 60.205.3.37
Source: unknown	TCP traffic detected without corresponding DNS query: 174.243.166.20
Source: unknown	TCP traffic detected without corresponding DNS query: 121.65.191.75
Source: unknown	TCP traffic detected without corresponding DNS query: 247.197.213.37
Source: unknown	TCP traffic detected without corresponding DNS query: 60.139.134.173
Source: unknown	TCP traffic detected without corresponding DNS query: 190.182.241.250
Source: unknown	TCP traffic detected without corresponding DNS query: 191.61.152.28
Source: unknown	TCP traffic detected without corresponding DNS query: 251.42.123.253

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/csqe8VS0YI (PID: 6232)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/csqe8VS0YI (PID: 6238)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal60.troj.lin@0/0@0/0

Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/491/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/793/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/772/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/796/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/774/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/797/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/777/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/799/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/658/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/912/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/759/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/936/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/918/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/1/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/761/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/785/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/884/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/720/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/721/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/788/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/789/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/800/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/801/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/847/fd
Source: /tmp/csqe8VS0YI (PID: 6232)	File opened: /proc/904/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/491/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/793/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/772/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/796/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/774/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/797/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/777/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/799/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/658/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/912/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/759/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/936/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/918/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/1/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/761/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/785/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/884/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/720/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/721/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/788/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/789/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/800/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/801/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/847/fd
Source: /tmp/csqe8VS0YI (PID: 6238)	File opened: /proc/904/fd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58834
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58842
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58844
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58858
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58864
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58868
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58870
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58874
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36094
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36098
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36104
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36108
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36118
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46728
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46730
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46738
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46744
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46756
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46780
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37450
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37456
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37464
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37484
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37510
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37532
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 50030

Source: /tmp/csqe8VS0YI (PID: 6230)

Queries kernel information via 'uname':

Source: csqe8VS0YI, 6230.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6232.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6329.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6347.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6335.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6233.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6340.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6239.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: csqe8VS0YI, 6230.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6232.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6329.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6347.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6335.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6233.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6340.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6239.1.000000008aa52aac.000000001b30196b.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: csqe8VS0YI, 6230.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6232.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6329.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6347.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6335.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6233.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6340.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp, csqe8VS0YI, 6239.1.000000002ca05d23.00000000ffe813ce.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: csqe8VS0YI, 6230.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6232.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6329.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6347.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6335.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6233.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6340.1.000000008aa52aac.000000001b30196b.rw-.sdmp, csqe8VS0YI, 6239.1.000000008aa52aac.000000001b30196b.rw-.sdmp	Binary or memory string: Piyx86_64/usr/bin/qemu-m68k/tmp/csqe8VS0YISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/csqe8VS0YI

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
csqe8VS0YI	54%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
158.192.236.239	unknown	France	9159	CreditAgricoleFR	false
47.238.157.74	unknown	United States	20115	CHARTER-20115US	false
23.71.43.196	unknown	United States	7922	COMCAST-7922US	false
145.209.166.104	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
60.117.131.82	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
76.106.206.30	unknown	United States	7922	COMCAST-7922US	false
182.248.57.101	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
220.104.136.94	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
36.253.250.150	unknown	Nepal	38565	NCELL-AS-NPNcellPvtLtdNP	false
90.251.212.247	unknown	United Kingdom	5378	VodafoneGB	false
253.30.98.154	unknown	Reserved	unknown	unknown	false
53.189.202.203	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
60.86.254.10	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
69.142.24.95	unknown	United States	7922	COMCAST-7922US	false
196.102.183.56	unknown	Kenya	33771	SAFARICOM-LIMITEDKE	false
121.126.241.161	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
63.211.32.11	unknown	United States	3356	LEVEL3US	false
167.20.171.244	unknown	United States	11273	FDCSGNETUS	false
78.36.89.177	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
125.137.19.123	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
194.96.24.204	unknown	Austria	1901	EUNETAT-ASA1TelekomAustriaAGAT	false
16.66.203.61	unknown	United States	unknown	unknown	false
157.25.81.76	unknown	Poland	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
78.119.21.74	unknown	France	8228	CEGETEL-ASFR	false
71.119.37.51	unknown	United States	701	UUNETUS	false
61.58.244.28	unknown	Taiwan; Republic of China (ROC)	9676	SAVECOM-TWSaveComInternationIncTW	false
110.90.152.15	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
191.64.65.243	unknown	Colombia	26611	COMCELSACO	false
157.247.81.176	unknown	Austria	8447	TELEKOM-ATA1TelekomAustriaAGAT	false
164.171.252.182	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
157.169.11.71	unknown	France	2418	FR-ASNBLOCK2FR-MAN-SOPHIA-ANTIPOLISEU	false
247.23.178.56	unknown	Reserved	unknown	unknown	false
199.77.160.247	unknown	United States	3549	LVLT-3549US	false
141.72.50.93	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
197.2.168.196	unknown	Tunisia	37705	TOPNETTN	false
122.93.82.223	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
57.198.102.60	unknown	Belgium	2686	ATGS-MMD-ASUS	false
171.206.181.115	unknown	United States	10794	BANKAMERICAUS	false
72.12.236.220	unknown	United States	23175	POGOZONEUS	false
5.106.241.192	unknown	Iran (ISLAMIC Republic Of)	197207	MCCI-ASIR	false
117.142.77.183	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
185.57.37.79	unknown	United Kingdom	202206	MOTIVEGB	false
4.45.158.73	unknown	United States	3356	LEVEL3US	false
86.9.17.184	unknown	United Kingdom	5089	NTLGB	false
175.253.176.76	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
149.22.102.39	unknown	United States	48945	IFNL-ASGB	false
123.213.36.98	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
193.240.171.255	unknown	United Kingdom	32880	WEST-IP-COMMUNICATIONSUS	false
46.225.224.140	unknown	Iran (ISLAMIC Republic Of)	56402	DADEHGOSTAR-ASAS12880-DataCommunicationCompanyofIran	false
77.37.132.41	unknown	Russian Federation	42610	NCNET-ASRU	false
82.13.54.81	unknown	United Kingdom	5089	NTLGB	false
108.243.44.253	unknown	United States	7018	ATT-INTERNET4US	false
253.11.226.229	unknown	Reserved	unknown	unknown	false
212.63.201.26	unknown	Sweden	30880	SPACEDUMP-ASThisASNislocatedonSTHIXatTulegatanStoka	false
43.90.242.228	unknown	Japan	4249	LILLY-ASUS	false
217.171.229.85	unknown	Netherlands	39647	REDHOSTING-ASNL	false
130.172.61.17	unknown	United States	12173	UAUS	false
186.253.253.55	unknown	Brazil	26615	TIMSABR	false
82.41.252.140	unknown	United Kingdom	5089	NTLGB	false
101.196.10.60	unknown	China	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
78.0.185.207	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
37.140.115.105	unknown	Russian Federation	8369	INTERSVYAZ-AS38-BKomsomolskyprospektRU	false
168.92.214.232	unknown	United States	2707	FIRSTCOMM-AS1US	false
133.30.102.10	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
218.174.111.179	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
121.47.14.242	unknown	China	9811	BJGYsritcorpbeijingCN	false
154.23.227.237	unknown	United States	174	COGENT-174US	false
172.50.129.167	unknown	United States	21928	T-MOBILE-AS21928US	false
47.177.246.214	unknown	United States	5650	FRONTIER-FRTRUS	false
131.2.148.22	unknown	United States	61458	GOBIERNOAUTONOMOMUNICIPALDELAPAZBO	false
16.80.45.102	unknown	United States	unknown	unknown	false
222.58.250.219	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
38.216.139.33	unknown	United States	174	COGENT-174US	false
211.77.208.95	unknown	Taiwan; Republic of China (ROC)	9674	FET-TWFarEastToneTelecommunicationCoLtdTW	false
168.222.253.144	unknown	United States	2386	INS-ASUS	false
77.75.95.129	unknown	Lebanon	43019	FARAHNETLB	false
20.87.29.200	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
88.75.86.235	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
157.194.75.140	unknown	United States	4704	SANNETRakutenMobileIncJP	false
121.84.13.175	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
187.211.112.31	unknown	Mexico	8151	UninetSAdeCVMX	false
180.79.223.180	unknown	China	17429	BGCTVNETBEIJINGGEHUACATVNETWORKCOLTDCN	false
14.136.29.157	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	false
43.24.50.81	unknown	Japan	4249	LILLY-ASUS	false
253.191.50.137	unknown	Reserved	unknown	unknown	false
151.102.159.77	unknown	United States	32104	WELLMONT-TNUS	false
206.215.223.109	unknown	United States	11139	CWC-ROC-11139DM	false
249.32.109.223	unknown	Reserved	unknown	unknown	false
192.156.4.224	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
113.2.23.226	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
39.26.92.198	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
199.98.250.182	unknown	United States	174	COGENT-174US	false
209.252.203.215	unknown	United States	7029	WINDSTREAMUS	false
63.251.15.172	unknown	United States	32475	SINGLEHOP-LLCUS	false
184.134.171.230	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
35.188.132.78	unknown	United States	15169	GOOGLEUS	false
5.10.3.237	unknown	Germany	198726	KOMDSLDE	false
84.244.129.204	unknown	Netherlands	20495	WEDAREwd6NETBVNL	false
208.127.60.11	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false
75.112.13.129	unknown	United States	33363	BHN-33363US	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.212939322901568
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	csqe8VS0YI
File size:	53056
MD5:	beae05ed2e1e2189d5f44fe5fe95111a
SHA1:	ad4d569675210467533e6093f3b13f805c860a28
SHA256:	a5cb465d21d9171b83bbbb658bbea9c875e421e37603f5e576c6387570fed6c6
SHA512:	950a85fe50fed766415ba25b66a321eb59ed39332815d1a3c2297549f7a68aca90fff3e7ef20c58aa0a7382c64360dc1141fbe6dfa66556931ce1d1d8c0142ea
SSDEEP:	768:mLGOe2kf9e9X9nberzI2vcv/QP3w5gFHviPuzWeHXpi2UJTMDnH638g5:mL/4f8F1eB0ApFvimzpZi2UJanHY8A
TLSH:	A8333ADAB902AD7DF98BEABE80170E0AB23123541053073777EBFC937E321549956E46
File Content Preview:	.ELF.......................D...4.........4. ...(.................................. ....................p.......... .dt.Q............................NV..a....da.....N^NuNV..J9...pf>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........pN^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	52656
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0xc5d6	0x0	0x6	AX	4
.fini	PROGBITS	0x8000c67e	0xc67e	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x8000c68c	0xc68c	0x56e	0x0	0x2	A	2
.ctors	PROGBITS	0x8000ec00	0xcc00	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8000ec08	0xcc08	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8000ec14	0xcc14	0x15c	0x0	0x3	WA	4
.bss	NOBITS	0x8000ed70	0xcd70	0x23c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xcd70	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0xcbfa	0xcbfa	4.2327	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0xcc00	0x8000ec00	0x8000ec00	0x170	0x3ac	0.2775	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 04:15:14.904967070 CEST	60988	1312	192.168.2.23	107.172.197.117
May 14, 2022 04:15:14.959037066 CEST	42325	23	192.168.2.23	13.0.164.21
May 14, 2022 04:15:14.959187984 CEST	42325	23	192.168.2.23	109.74.44.219
May 14, 2022 04:15:14.959194899 CEST	42325	23	192.168.2.23	91.146.53.149
May 14, 2022 04:15:14.959196091 CEST	42325	23	192.168.2.23	200.3.132.206
May 14, 2022 04:15:14.959227085 CEST	42325	23	192.168.2.23	40.130.28.180
May 14, 2022 04:15:14.959243059 CEST	42325	23	192.168.2.23	57.50.234.50
May 14, 2022 04:15:14.959252119 CEST	42325	23	192.168.2.23	84.225.48.252
May 14, 2022 04:15:14.959259987 CEST	42325	23	192.168.2.23	87.116.152.152
May 14, 2022 04:15:14.959275961 CEST	42325	23	192.168.2.23	16.40.254.63
May 14, 2022 04:15:14.959295034 CEST	42325	23	192.168.2.23	109.221.53.232
May 14, 2022 04:15:14.959325075 CEST	42325	23	192.168.2.23	125.158.147.235
May 14, 2022 04:15:14.959325075 CEST	42325	23	192.168.2.23	180.235.64.76
May 14, 2022 04:15:14.959336996 CEST	42325	23	192.168.2.23	119.114.96.176
May 14, 2022 04:15:14.959342957 CEST	42325	23	192.168.2.23	254.156.93.201
May 14, 2022 04:15:14.959351063 CEST	42325	23	192.168.2.23	200.12.231.204
May 14, 2022 04:15:14.959351063 CEST	42325	23	192.168.2.23	170.237.5.40
May 14, 2022 04:15:14.959353924 CEST	42325	23	192.168.2.23	20.137.109.105
May 14, 2022 04:15:14.959374905 CEST	42325	23	192.168.2.23	12.150.146.55
May 14, 2022 04:15:14.959374905 CEST	42325	23	192.168.2.23	155.29.204.24
May 14, 2022 04:15:14.959379911 CEST	42325	23	192.168.2.23	188.213.44.241
May 14, 2022 04:15:14.959427118 CEST	42325	23	192.168.2.23	249.23.145.34
May 14, 2022 04:15:14.959455013 CEST	42325	23	192.168.2.23	200.18.228.173
May 14, 2022 04:15:14.959469080 CEST	42325	23	192.168.2.23	75.41.202.169
May 14, 2022 04:15:14.959496975 CEST	42325	23	192.168.2.23	126.105.222.202
May 14, 2022 04:15:14.959521055 CEST	42325	23	192.168.2.23	153.70.148.14
May 14, 2022 04:15:14.959546089 CEST	42325	23	192.168.2.23	23.23.94.132
May 14, 2022 04:15:14.959573030 CEST	42325	23	192.168.2.23	65.213.102.187
May 14, 2022 04:15:14.959614992 CEST	42325	23	192.168.2.23	207.168.78.221
May 14, 2022 04:15:14.959631920 CEST	42325	23	192.168.2.23	48.40.215.16
May 14, 2022 04:15:14.959657907 CEST	42325	23	192.168.2.23	240.52.146.115
May 14, 2022 04:15:14.959662914 CEST	42325	23	192.168.2.23	92.232.247.111
May 14, 2022 04:15:14.959681034 CEST	42325	23	192.168.2.23	196.172.39.72
May 14, 2022 04:15:14.959709883 CEST	42325	23	192.168.2.23	178.149.134.76
May 14, 2022 04:15:14.959732056 CEST	42325	23	192.168.2.23	126.44.231.157
May 14, 2022 04:15:14.959733963 CEST	42325	23	192.168.2.23	141.194.26.246
May 14, 2022 04:15:14.959736109 CEST	42325	23	192.168.2.23	87.78.65.88
May 14, 2022 04:15:14.959772110 CEST	42325	23	192.168.2.23	219.200.159.231
May 14, 2022 04:15:14.959777117 CEST	42325	23	192.168.2.23	170.246.202.65
May 14, 2022 04:15:14.959781885 CEST	42325	23	192.168.2.23	59.36.111.29
May 14, 2022 04:15:14.959799051 CEST	42325	23	192.168.2.23	200.244.143.83
May 14, 2022 04:15:14.959810972 CEST	42325	23	192.168.2.23	216.72.26.76
May 14, 2022 04:15:14.959829092 CEST	42325	23	192.168.2.23	60.205.3.37
May 14, 2022 04:15:14.959826946 CEST	42325	23	192.168.2.23	174.243.166.20
May 14, 2022 04:15:14.959840059 CEST	42325	23	192.168.2.23	121.65.191.75
May 14, 2022 04:15:14.959846973 CEST	42325	23	192.168.2.23	247.197.213.37
May 14, 2022 04:15:14.959847927 CEST	42325	23	192.168.2.23	60.139.134.173
May 14, 2022 04:15:14.959853888 CEST	42325	23	192.168.2.23	190.182.241.250
May 14, 2022 04:15:14.959862947 CEST	42325	23	192.168.2.23	191.61.152.28
May 14, 2022 04:15:14.959867001 CEST	42325	23	192.168.2.23	251.42.123.253
May 14, 2022 04:15:14.959867954 CEST	42325	23	192.168.2.23	60.123.110.201
May 14, 2022 04:15:14.959880114 CEST	42325	23	192.168.2.23	109.42.1.50
May 14, 2022 04:15:14.959883928 CEST	42325	23	192.168.2.23	101.216.131.38
May 14, 2022 04:15:14.959894896 CEST	42325	23	192.168.2.23	36.61.244.68
May 14, 2022 04:15:14.959906101 CEST	42325	23	192.168.2.23	196.165.59.180
May 14, 2022 04:15:14.959908962 CEST	42325	23	192.168.2.23	57.105.242.240
May 14, 2022 04:15:14.959914923 CEST	42325	23	192.168.2.23	9.6.80.81
May 14, 2022 04:15:14.959933996 CEST	42325	23	192.168.2.23	149.229.171.126
May 14, 2022 04:15:14.959980011 CEST	42325	23	192.168.2.23	183.75.208.148
May 14, 2022 04:15:14.959981918 CEST	42325	23	192.168.2.23	69.69.73.25
May 14, 2022 04:15:14.959984064 CEST	42325	23	192.168.2.23	72.100.17.186
May 14, 2022 04:15:14.959994078 CEST	42325	23	192.168.2.23	165.107.202.137
May 14, 2022 04:15:14.960017920 CEST	42325	23	192.168.2.23	152.36.230.131
May 14, 2022 04:15:14.960022926 CEST	42325	23	192.168.2.23	150.152.199.77
May 14, 2022 04:15:14.960046053 CEST	42325	23	192.168.2.23	120.62.103.182
May 14, 2022 04:15:14.960068941 CEST	42325	23	192.168.2.23	96.211.15.31
May 14, 2022 04:15:14.960073948 CEST	42325	23	192.168.2.23	37.186.116.2
May 14, 2022 04:15:14.960093021 CEST	42325	23	192.168.2.23	84.49.28.141
May 14, 2022 04:15:14.960103035 CEST	42325	23	192.168.2.23	125.34.129.240
May 14, 2022 04:15:14.960115910 CEST	42325	23	192.168.2.23	126.16.148.163
May 14, 2022 04:15:14.960216999 CEST	42325	23	192.168.2.23	13.151.80.119
May 14, 2022 04:15:14.960248947 CEST	42325	23	192.168.2.23	41.16.169.156
May 14, 2022 04:15:14.960257053 CEST	42325	23	192.168.2.23	171.195.93.106
May 14, 2022 04:15:14.960269928 CEST	42325	23	192.168.2.23	118.45.189.65
May 14, 2022 04:15:14.960292101 CEST	42325	23	192.168.2.23	152.10.123.104
May 14, 2022 04:15:14.960311890 CEST	42325	23	192.168.2.23	35.110.131.37
May 14, 2022 04:15:14.960321903 CEST	42325	23	192.168.2.23	107.249.44.203
May 14, 2022 04:15:14.960335016 CEST	42325	23	192.168.2.23	163.208.148.211
May 14, 2022 04:15:14.960344076 CEST	42325	23	192.168.2.23	250.41.230.109
May 14, 2022 04:15:14.960346937 CEST	42325	23	192.168.2.23	164.61.94.18
May 14, 2022 04:15:14.960349083 CEST	42325	23	192.168.2.23	149.171.126.223
May 14, 2022 04:15:14.960360050 CEST	42325	23	192.168.2.23	149.78.217.189
May 14, 2022 04:15:14.960361004 CEST	42325	23	192.168.2.23	62.60.170.135
May 14, 2022 04:15:14.960362911 CEST	42325	23	192.168.2.23	116.6.209.241
May 14, 2022 04:15:14.960391998 CEST	42325	23	192.168.2.23	153.50.83.201
May 14, 2022 04:15:14.960400105 CEST	42325	23	192.168.2.23	44.202.88.106
May 14, 2022 04:15:14.960423946 CEST	42325	23	192.168.2.23	195.100.56.41
May 14, 2022 04:15:14.960433006 CEST	42325	23	192.168.2.23	83.188.126.129
May 14, 2022 04:15:14.960449934 CEST	42325	23	192.168.2.23	40.255.135.233
May 14, 2022 04:15:14.960468054 CEST	42325	23	192.168.2.23	34.96.173.160
May 14, 2022 04:15:14.960481882 CEST	42325	23	192.168.2.23	102.177.42.145
May 14, 2022 04:15:14.960525990 CEST	42325	23	192.168.2.23	144.22.24.218
May 14, 2022 04:15:14.960529089 CEST	42325	23	192.168.2.23	60.192.178.63
May 14, 2022 04:15:14.960550070 CEST	42325	23	192.168.2.23	178.0.108.10
May 14, 2022 04:15:14.960580111 CEST	42325	23	192.168.2.23	63.111.61.158
May 14, 2022 04:15:14.960588932 CEST	42325	23	192.168.2.23	167.168.103.109
May 14, 2022 04:15:14.960599899 CEST	42325	23	192.168.2.23	191.55.43.90
May 14, 2022 04:15:14.960618973 CEST	42325	23	192.168.2.23	43.134.190.188
May 14, 2022 04:15:14.960623026 CEST	42325	23	192.168.2.23	211.36.146.121
May 14, 2022 04:15:14.960628986 CEST	42325	23	192.168.2.23	207.170.160.198

System Behavior

Analysis Process: csqe8VS0YI PID: 6230, Parent PID: 6123

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	/tmp/csqe8VS0YI
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6232, Parent PID: 6230

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6329, Parent PID: 6232

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6331, Parent PID: 6232

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6333, Parent PID: 6331

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6347, Parent PID: 6333

General

Start time:	04:18:10
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6349, Parent PID: 6333

General

Start time:	04:18:10
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6335, Parent PID: 6331

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6336, Parent PID: 6331

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6233, Parent PID: 6230

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6235, Parent PID: 6230

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6238, Parent PID: 6235

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6340, Parent PID: 6238

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6341, Parent PID: 6238

General

Start time:	04:18:05
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6239, Parent PID: 6235

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: csqe8VS0YI PID: 6240, Parent PID: 6235

General

Start time:	04:15:13
Start date:	14/05/2022
Path:	/tmp/csqe8VS0YI
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report csqe8VS0YI

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: csqe8VS0YI PID: 6230, Parent PID: 6123

General

Analysis Process: csqe8VS0YI PID: 6232, Parent PID: 6230

General

Analysis Process: csqe8VS0YI PID: 6329, Parent PID: 6232

General

Analysis Process: csqe8VS0YI PID: 6331, Parent PID: 6232

General

Analysis Process: csqe8VS0YI PID: 6333, Parent PID: 6331

General

Analysis Process: csqe8VS0YI PID: 6347, Parent PID: 6333

General

Analysis Process: csqe8VS0YI PID: 6349, Parent PID: 6333

General

Analysis Process: csqe8VS0YI PID: 6335, Parent PID: 6331

General

Analysis Process: csqe8VS0YI PID: 6336, Parent PID: 6331

General

Analysis Process: csqe8VS0YI PID: 6233, Parent PID: 6230

General

Analysis Process: csqe8VS0YI PID: 6235, Parent PID: 6230

Linux Analysis Report
csqe8VS0YI