Edit tour

Linux Analysis Report
tU468ylYjx

Overview

General Information

Sample Name:	tU468ylYjx
Analysis ID:	626477
MD5:	1f435b2e68e159ee636a17bf3552d7de
SHA1:	8c76b05125e6bf6c32f72934181d52fd07ba9ad9
SHA256:	2a918615507819ee0c0c1c1ced7afd8ab35e44488b78340273c39e5fd60c77a3
Tags:	32elfmiraipowerpc
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626477
Start date and time: 14/05/202204:25:24	2022-05-14 04:25:24 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 50s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	tU468ylYjx
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.troj.evad.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/tU468ylYjx
PID:	6224
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

tU468ylYjx (PID: 6224, Parent: 6123, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/tU468ylYjx

tU468ylYjx New Fork (PID: 6226, Parent: 6224)

tU468ylYjx New Fork (PID: 6323, Parent: 6226)

tU468ylYjx New Fork (PID: 6324, Parent: 6226)

tU468ylYjx New Fork (PID: 6327, Parent: 6324)

tU468ylYjx New Fork (PID: 6340, Parent: 6327)

tU468ylYjx New Fork (PID: 6341, Parent: 6327)

tU468ylYjx New Fork (PID: 6328, Parent: 6324)

tU468ylYjx New Fork (PID: 6330, Parent: 6324)

tU468ylYjx New Fork (PID: 6227, Parent: 6224)

tU468ylYjx New Fork (PID: 6228, Parent: 6224)

tU468ylYjx New Fork (PID: 6232, Parent: 6228)

tU468ylYjx New Fork (PID: 6333, Parent: 6232)

tU468ylYjx New Fork (PID: 6334, Parent: 6232)

tU468ylYjx New Fork (PID: 6233, Parent: 6228)

tU468ylYjx New Fork (PID: 6235, Parent: 6228)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: tU468ylYjx

Virustotal: Detection: 39%

Perma Link

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46040
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46056
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46068
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46086
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46114

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:60988 -> 107.172.197.117:1312

Source: /tmp/tU468ylYjx (PID: 6226)	Socket: 0.0.0.0::0
Source: /tmp/tU468ylYjx (PID: 6232)	Socket: 0.0.0.0::0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 107.172.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 12.163.181.164
Source: unknown	TCP traffic detected without corresponding DNS query: 124.201.35.249
Source: unknown	TCP traffic detected without corresponding DNS query: 171.213.184.249
Source: unknown	TCP traffic detected without corresponding DNS query: 13.176.229.145
Source: unknown	TCP traffic detected without corresponding DNS query: 40.189.128.38
Source: unknown	TCP traffic detected without corresponding DNS query: 81.1.19.123
Source: unknown	TCP traffic detected without corresponding DNS query: 44.239.254.250
Source: unknown	TCP traffic detected without corresponding DNS query: 195.248.207.10
Source: unknown	TCP traffic detected without corresponding DNS query: 125.160.224.12
Source: unknown	TCP traffic detected without corresponding DNS query: 176.219.82.86
Source: unknown	TCP traffic detected without corresponding DNS query: 181.167.224.33
Source: unknown	TCP traffic detected without corresponding DNS query: 192.158.30.22
Source: unknown	TCP traffic detected without corresponding DNS query: 164.121.109.58
Source: unknown	TCP traffic detected without corresponding DNS query: 255.50.154.97
Source: unknown	TCP traffic detected without corresponding DNS query: 195.182.138.20
Source: unknown	TCP traffic detected without corresponding DNS query: 34.87.70.255
Source: unknown	TCP traffic detected without corresponding DNS query: 84.179.75.208
Source: unknown	TCP traffic detected without corresponding DNS query: 153.32.229.82
Source: unknown	TCP traffic detected without corresponding DNS query: 167.144.133.226
Source: unknown	TCP traffic detected without corresponding DNS query: 165.129.120.248
Source: unknown	TCP traffic detected without corresponding DNS query: 23.135.109.15
Source: unknown	TCP traffic detected without corresponding DNS query: 130.209.114.86
Source: unknown	TCP traffic detected without corresponding DNS query: 201.237.134.237
Source: unknown	TCP traffic detected without corresponding DNS query: 90.177.55.159
Source: unknown	TCP traffic detected without corresponding DNS query: 142.111.164.126
Source: unknown	TCP traffic detected without corresponding DNS query: 194.175.222.234
Source: unknown	TCP traffic detected without corresponding DNS query: 102.170.32.54
Source: unknown	TCP traffic detected without corresponding DNS query: 65.33.147.242
Source: unknown	TCP traffic detected without corresponding DNS query: 162.35.238.129
Source: unknown	TCP traffic detected without corresponding DNS query: 68.39.20.181
Source: unknown	TCP traffic detected without corresponding DNS query: 82.242.120.172
Source: unknown	TCP traffic detected without corresponding DNS query: 160.75.41.82
Source: unknown	TCP traffic detected without corresponding DNS query: 54.61.51.66
Source: unknown	TCP traffic detected without corresponding DNS query: 8.111.142.254
Source: unknown	TCP traffic detected without corresponding DNS query: 202.134.62.135
Source: unknown	TCP traffic detected without corresponding DNS query: 130.227.86.83
Source: unknown	TCP traffic detected without corresponding DNS query: 182.166.35.149
Source: unknown	TCP traffic detected without corresponding DNS query: 146.188.246.197
Source: unknown	TCP traffic detected without corresponding DNS query: 252.177.70.187
Source: unknown	TCP traffic detected without corresponding DNS query: 103.112.133.170
Source: unknown	TCP traffic detected without corresponding DNS query: 27.173.221.44
Source: unknown	TCP traffic detected without corresponding DNS query: 59.64.215.233
Source: unknown	TCP traffic detected without corresponding DNS query: 167.152.64.82
Source: unknown	TCP traffic detected without corresponding DNS query: 95.212.120.53
Source: unknown	TCP traffic detected without corresponding DNS query: 197.18.69.91
Source: unknown	TCP traffic detected without corresponding DNS query: 36.235.194.65
Source: unknown	TCP traffic detected without corresponding DNS query: 162.206.45.56
Source: unknown	TCP traffic detected without corresponding DNS query: 77.5.227.75

Source: tU468ylYjx

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x100000

Source: /tmp/tU468ylYjx (PID: 6226)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/tU468ylYjx (PID: 6232)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal64.troj.evad.lin@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/491/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/793/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/772/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/796/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/774/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/797/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/777/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/799/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/658/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/912/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/759/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/936/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/918/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/1/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/761/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/785/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/884/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/720/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/721/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/788/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/789/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/800/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/801/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/847/fd
Source: /tmp/tU468ylYjx (PID: 6232)	File opened: /proc/904/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/491/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/793/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/772/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/796/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/774/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/797/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/777/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/799/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/658/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/912/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/759/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/936/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/918/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/1/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/761/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/785/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/884/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/720/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/721/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/788/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/789/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/800/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/801/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/847/fd
Source: /tmp/tU468ylYjx (PID: 6226)	File opened: /proc/904/fd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46028
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46040
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46056
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46068
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46086
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46114

Source: /tmp/tU468ylYjx (PID: 6224)

Queries kernel information via 'uname':

Source: tU468ylYjx, 6224.1.0000000051be361b.00000000322ed218.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: tU468ylYjx, 6226.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6323.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6340.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6328.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6227.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6333.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6233.1.0000000051be361b.00000000322ed218.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: tU468ylYjx, 6224.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6226.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6323.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6340.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6328.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6227.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6333.1.0000000051be361b.00000000322ed218.rw-.sdmp, tU468ylYjx, 6233.1.0000000051be361b.00000000322ed218.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: tU468ylYjx, 6224.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6226.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6323.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6340.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6328.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6227.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6333.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6233.1.00000000631a968b.0000000029cdfeac.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: tU468ylYjx, 6224.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6226.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6323.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6340.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6328.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6227.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6333.1.00000000631a968b.0000000029cdfeac.rw-.sdmp, tU468ylYjx, 6233.1.00000000631a968b.0000000029cdfeac.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/tU468ylYjxSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/tU468ylYjx

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tU468ylYjx	39%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	tU468ylYjx	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
124.75.165.150	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
216.92.92.101	unknown	United States	7859	PAIR-NETWORKSUS	false
150.217.3.109	unknown	Italy	137	ASGARRConsortiumGARREU	false
244.158.124.82	unknown	Reserved	unknown	unknown	false
170.248.7.61	unknown	United States	21433	ACCENTUREFSSCLondonDCGB	false
71.99.94.185	unknown	United States	5650	FRONTIER-FRTRUS	false
208.165.164.65	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
220.210.235.162	unknown	Japan	18144	AS-ENECOMEnergiaCommunicationsIncJP	false
125.76.82.63	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
83.207.100.101	unknown	France	3215	FranceTelecom-OrangeFR	false
174.140.145.193	unknown	United States	29748	QTS-ASHUS	false
248.171.46.242	unknown	Reserved	unknown	unknown	false
35.255.218.17	unknown	United States	3549	LVLT-3549US	false
78.110.158.83	unknown	Russian Federation	43530	IRTELCOM-ASRU	false
13.133.28.227	unknown	United States	7018	ATT-INTERNET4US	false
178.198.88.170	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
148.128.197.77	unknown	United States	2386	INS-ASUS	false
75.136.133.5	unknown	United States	20115	CHARTER-20115US	false
146.213.125.26	unknown	Norway	5619	EVRY-NO	false
66.239.22.93	unknown	United States	2828	XO-AS15US	false
197.90.74.64	unknown	South Africa	10474	OPTINETZA	false
123.91.75.157	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
87.125.105.248	unknown	Spain	12430	VODAFONE_ESES	false
166.121.243.157	unknown	Singapore	9911	CONNECTPLUS-APSingaporeTelecomSG	false
101.87.127.209	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
12.155.33.184	unknown	United States	7018	ATT-INTERNET4US	false
184.103.198.217	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
88.145.164.184	unknown	United Kingdom	12708	ONETEL-ASTalkTalkCommunicationsLimitedGB	false
141.112.190.217	unknown	United States	6	BULL-HNUS	false
60.124.156.62	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
198.93.34.243	unknown	United States	6352	ETRADE-ASUS	false
241.4.244.146	unknown	Reserved	unknown	unknown	false
73.112.121.58	unknown	United States	7922	COMCAST-7922US	false
86.120.245.134	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
93.151.65.201	unknown	Italy	44957	OPITELIT	false
114.170.121.58	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
178.209.254.131	unknown	Russian Federation	12714	TI-ASMoscowRussiaRU	false
66.206.239.222	unknown	Canada	23184	PERSONACA	false
190.146.201.91	unknown	Colombia	10620	TelmexColombiaSACO	false
93.127.41.180	unknown	Ukraine	6703	ALKAR-ASUA	false
206.162.114.249	unknown	United States	1239	SPRINTLINKUS	false
151.83.84.10	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
48.192.124.95	unknown	United States	2686	ATGS-MMD-ASUS	false
9.99.10.27	unknown	United States	3356	LEVEL3US	false
255.64.112.201	unknown	Reserved	unknown	unknown	false
36.175.243.139	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
185.210.112.87	unknown	Italy	207029	WIME-ASIT	false
178.245.236.25	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
16.84.55.94	unknown	United States	unknown	unknown	false
140.228.246.149	unknown	United States	600	OARNET-ASUS	false
242.5.233.28	unknown	Reserved	unknown	unknown	false
186.105.116.215	unknown	Chile	7418	TELEFONICACHILESACL	false
73.172.210.228	unknown	United States	7922	COMCAST-7922US	false
188.163.100.152	unknown	Ukraine	15895	KSNET-ASUA	false
241.120.255.24	unknown	Reserved	unknown	unknown	false
133.38.251.68	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
197.211.114.67	unknown	Malawi	37187	SKYBANDMW	false
208.137.162.169	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
92.207.185.241	unknown	United Kingdom	31655	ASN-GAMMATELECOMGB	false
135.133.91.192	unknown	United States	14962	NCR-252US	false
109.191.69.227	unknown	Russian Federation	8369	INTERSVYAZ-AS38-BKomsomolskyprospektRU	false
194.158.255.197	unknown	Switzerland	6730	SUNRISECH	false
99.70.226.9	unknown	United States	7018	ATT-INTERNET4US	false
112.216.243.179	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
78.208.95.165	unknown	France	12322	PROXADFR	false
95.98.201.16	unknown	Netherlands	31615	TMO-NL-ASNL	false
204.99.97.160	unknown	United States	18862	NCS-HEALTHCAREUS	false
251.181.98.112	unknown	Reserved	unknown	unknown	false
18.104.56.4	unknown	United States	3	MIT-GATEWAYSUS	false
209.174.40.205	unknown	United States	6325	ILLINOIS-CENTURYUS	false
249.121.54.201	unknown	Reserved	unknown	unknown	false
204.127.184.185	unknown	United States	4466	EASYLINK2US	false
243.74.170.105	unknown	Reserved	unknown	unknown	false
42.84.186.120	unknown	China	9929	CUIICHINAUNICOMIndustrialInternetBackboneCN	false
159.56.40.145	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
122.226.30.57	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
101.190.18.150	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
191.131.223.31	unknown	Brazil	26615	TIMSABR	false
202.233.148.100	unknown	Japan	4675	U-NETSURFUNIADEXLTDJP	false
190.134.2.247	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
251.37.69.2	unknown	Reserved	unknown	unknown	false
249.120.39.186	unknown	Reserved	unknown	unknown	false
8.156.208.151	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
107.60.65.39	unknown	United States	16567	NETRIX-16567US	false
177.92.168.108	unknown	Brazil	263107	QwertyComunicacoeseTecnologiaEducacionalLtdaBR	false
210.42.148.53	unknown	China	24358	CNGI-WH-IX-AS-APCERNET2IXatHuazhongUniversityofScienc	false
172.185.37.93	unknown	United States	7018	ATT-INTERNET4US	false
32.68.194.104	unknown	United States	2686	ATGS-MMD-ASUS	false
247.57.2.218	unknown	Reserved	unknown	unknown	false
92.203.241.85	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
169.172.184.107	unknown	United States	37611	AfrihostZA	false
124.7.224.3	unknown	India	9583	SIFY-AS-INSifyLimitedIN	false
213.81.126.107	unknown	United Kingdom	5089	NTLGB	false
161.93.54.189	unknown	Japan	14298	EPA-NETUS	false
114.183.221.41	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
218.0.41.111	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
12.216.23.176	unknown	United States	7018	ATT-INTERNET4US	false
86.129.125.230	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
40.48.200.190	unknown	United States	4249	LILLY-ASUS	false
93.180.151.102	unknown	Bosnia and Herzegowina	198252	ELTAKABEL-ASDobojskihbrigadaBBBA	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.91879712795437
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	tU468ylYjx
File size:	23936
MD5:	1f435b2e68e159ee636a17bf3552d7de
SHA1:	8c76b05125e6bf6c32f72934181d52fd07ba9ad9
SHA256:	2a918615507819ee0c0c1c1ced7afd8ab35e44488b78340273c39e5fd60c77a3
SHA512:	611bfdea682cf72cdf07b7efd7827367adec1263bc1b81fe9205b7fb42048e26fb8fbbf5a4a472ef0988ec49d0799abcd7882c22f3794164402ccc87c5e1f18c
SSDEEP:	384:2OA0AeimAzNCdvw1PwIWWtKfz9VuBFoeIoA8FXw2t7tTmojIo8wNM4uVcqgw05VC:2AApCdvwJr69VJoA8FZtxCo8MC4uVcqF
TLSH:	22B2D01AC0AE3E74FE9B7D355941E2817B619BDF7A62CDC017C15B120622D2C1F9CAD8
File Content Preview:	.ELF......................J....4.........4. ...(......................\...\.........................................dt.Q................................UPX!.......................S.......?.E.h4...@b....................D*aN.........]&a.r...K{.LS....9.5o..V

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x104aa0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0x5c88	0x5c88	4.2067	0x5	R E	0x10000
LOAD	0xc9e8	0x1001c9e8	0x1001c9e8	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 04:26:11.440484047 CEST	42836	443	192.168.2.23	91.189.91.43
May 14, 2022 04:26:11.469999075 CEST	60988	1312	192.168.2.23	107.172.197.117
May 14, 2022 04:26:11.496292114 CEST	15186	23	192.168.2.23	12.163.181.164
May 14, 2022 04:26:11.496296883 CEST	15186	23	192.168.2.23	124.201.35.249
May 14, 2022 04:26:11.496329069 CEST	15186	23	192.168.2.23	171.213.184.249
May 14, 2022 04:26:11.496351957 CEST	15186	23	192.168.2.23	13.176.229.145
May 14, 2022 04:26:11.496357918 CEST	15186	23	192.168.2.23	40.189.128.38
May 14, 2022 04:26:11.496376991 CEST	15186	23	192.168.2.23	81.1.19.123
May 14, 2022 04:26:11.496375084 CEST	15186	23	192.168.2.23	44.239.254.250
May 14, 2022 04:26:11.496397972 CEST	15186	23	192.168.2.23	195.248.207.10
May 14, 2022 04:26:11.496417046 CEST	15186	23	192.168.2.23	125.160.224.12
May 14, 2022 04:26:11.496527910 CEST	15186	23	192.168.2.23	176.219.82.86
May 14, 2022 04:26:11.496552944 CEST	15186	23	192.168.2.23	181.167.224.33
May 14, 2022 04:26:11.496577024 CEST	15186	23	192.168.2.23	192.158.30.22
May 14, 2022 04:26:11.496592999 CEST	15186	23	192.168.2.23	210.138.237.132
May 14, 2022 04:26:11.496628046 CEST	15186	23	192.168.2.23	164.121.109.58
May 14, 2022 04:26:11.496649027 CEST	15186	23	192.168.2.23	255.50.154.97
May 14, 2022 04:26:11.496651888 CEST	15186	23	192.168.2.23	195.182.138.20
May 14, 2022 04:26:11.496690035 CEST	15186	23	192.168.2.23	34.87.70.255
May 14, 2022 04:26:11.496690035 CEST	15186	23	192.168.2.23	84.179.75.208
May 14, 2022 04:26:11.496752977 CEST	15186	23	192.168.2.23	153.32.229.82
May 14, 2022 04:26:11.496753931 CEST	15186	23	192.168.2.23	167.144.133.226
May 14, 2022 04:26:11.496757984 CEST	15186	23	192.168.2.23	165.129.120.248
May 14, 2022 04:26:11.496769905 CEST	15186	23	192.168.2.23	23.135.109.15
May 14, 2022 04:26:11.496798038 CEST	15186	23	192.168.2.23	130.209.114.86
May 14, 2022 04:26:11.496810913 CEST	15186	23	192.168.2.23	201.237.134.237
May 14, 2022 04:26:11.496812105 CEST	15186	23	192.168.2.23	90.177.55.159
May 14, 2022 04:26:11.496824026 CEST	15186	23	192.168.2.23	142.111.164.126
May 14, 2022 04:26:11.496824980 CEST	15186	23	192.168.2.23	194.175.222.234
May 14, 2022 04:26:11.496824980 CEST	15186	23	192.168.2.23	102.170.32.54
May 14, 2022 04:26:11.496833086 CEST	15186	23	192.168.2.23	65.33.147.242
May 14, 2022 04:26:11.496845961 CEST	15186	23	192.168.2.23	110.210.14.79
May 14, 2022 04:26:11.496849060 CEST	15186	23	192.168.2.23	162.35.238.129
May 14, 2022 04:26:11.496860981 CEST	15186	23	192.168.2.23	68.39.20.181
May 14, 2022 04:26:11.496885061 CEST	15186	23	192.168.2.23	82.242.120.172
May 14, 2022 04:26:11.496886969 CEST	15186	23	192.168.2.23	160.75.41.82
May 14, 2022 04:26:11.496897936 CEST	15186	23	192.168.2.23	54.61.51.66
May 14, 2022 04:26:11.496912003 CEST	15186	23	192.168.2.23	8.111.142.254
May 14, 2022 04:26:11.496913910 CEST	15186	23	192.168.2.23	202.134.62.135
May 14, 2022 04:26:11.496982098 CEST	15186	23	192.168.2.23	130.227.86.83
May 14, 2022 04:26:11.496982098 CEST	15186	23	192.168.2.23	182.166.35.149
May 14, 2022 04:26:11.496994972 CEST	15186	23	192.168.2.23	146.188.246.197
May 14, 2022 04:26:11.497010946 CEST	15186	23	192.168.2.23	252.177.70.187
May 14, 2022 04:26:11.497028112 CEST	15186	23	192.168.2.23	103.112.133.170
May 14, 2022 04:26:11.497035980 CEST	15186	23	192.168.2.23	27.173.221.44
May 14, 2022 04:26:11.497045994 CEST	15186	23	192.168.2.23	59.64.215.233
May 14, 2022 04:26:11.497059107 CEST	15186	23	192.168.2.23	167.152.64.82
May 14, 2022 04:26:11.497061968 CEST	15186	23	192.168.2.23	95.212.120.53
May 14, 2022 04:26:11.497065067 CEST	15186	23	192.168.2.23	197.18.69.91
May 14, 2022 04:26:11.497067928 CEST	15186	23	192.168.2.23	36.235.194.65
May 14, 2022 04:26:11.497092962 CEST	15186	23	192.168.2.23	162.206.45.56
May 14, 2022 04:26:11.497119904 CEST	15186	23	192.168.2.23	77.5.227.75
May 14, 2022 04:26:11.497123003 CEST	15186	23	192.168.2.23	117.62.14.247
May 14, 2022 04:26:11.497150898 CEST	15186	23	192.168.2.23	51.5.52.119
May 14, 2022 04:26:11.497165918 CEST	15186	23	192.168.2.23	47.126.22.13
May 14, 2022 04:26:11.497174025 CEST	15186	23	192.168.2.23	76.166.54.85
May 14, 2022 04:26:11.497174978 CEST	15186	23	192.168.2.23	99.19.78.203
May 14, 2022 04:26:11.497175932 CEST	15186	23	192.168.2.23	201.250.133.142
May 14, 2022 04:26:11.497198105 CEST	15186	23	192.168.2.23	103.231.58.222
May 14, 2022 04:26:11.497200012 CEST	15186	23	192.168.2.23	88.239.216.96
May 14, 2022 04:26:11.497210979 CEST	15186	23	192.168.2.23	253.145.179.229
May 14, 2022 04:26:11.497216940 CEST	15186	23	192.168.2.23	201.241.102.170
May 14, 2022 04:26:11.497226000 CEST	15186	23	192.168.2.23	250.17.248.221
May 14, 2022 04:26:11.497232914 CEST	15186	23	192.168.2.23	191.90.15.136
May 14, 2022 04:26:11.497235060 CEST	15186	23	192.168.2.23	217.198.178.221
May 14, 2022 04:26:11.497252941 CEST	15186	23	192.168.2.23	8.15.247.162
May 14, 2022 04:26:11.497277021 CEST	15186	23	192.168.2.23	188.251.73.108
May 14, 2022 04:26:11.497287989 CEST	15186	23	192.168.2.23	247.216.134.71
May 14, 2022 04:26:11.497289896 CEST	15186	23	192.168.2.23	39.17.73.172
May 14, 2022 04:26:11.497301102 CEST	15186	23	192.168.2.23	16.150.128.216
May 14, 2022 04:26:11.497323036 CEST	15186	23	192.168.2.23	19.18.207.112
May 14, 2022 04:26:11.497327089 CEST	15186	23	192.168.2.23	54.2.83.37
May 14, 2022 04:26:11.497327089 CEST	15186	23	192.168.2.23	35.187.253.113
May 14, 2022 04:26:11.497335911 CEST	15186	23	192.168.2.23	200.116.15.193
May 14, 2022 04:26:11.497369051 CEST	15186	23	192.168.2.23	120.179.217.5
May 14, 2022 04:26:11.497373104 CEST	15186	23	192.168.2.23	32.74.88.93
May 14, 2022 04:26:11.497395039 CEST	15186	23	192.168.2.23	45.95.0.71
May 14, 2022 04:26:11.497416973 CEST	15186	23	192.168.2.23	87.163.101.97
May 14, 2022 04:26:11.497425079 CEST	15186	23	192.168.2.23	175.99.29.76
May 14, 2022 04:26:11.497437000 CEST	15186	23	192.168.2.23	173.70.47.213
May 14, 2022 04:26:11.497458935 CEST	15186	23	192.168.2.23	164.60.73.118
May 14, 2022 04:26:11.497461081 CEST	15186	23	192.168.2.23	217.180.22.161
May 14, 2022 04:26:11.497462988 CEST	15186	23	192.168.2.23	13.66.34.62
May 14, 2022 04:26:11.497493982 CEST	15186	23	192.168.2.23	87.238.24.78
May 14, 2022 04:26:11.497498035 CEST	15186	23	192.168.2.23	72.162.32.158
May 14, 2022 04:26:11.497546911 CEST	15186	23	192.168.2.23	198.97.7.253
May 14, 2022 04:26:11.497574091 CEST	15186	23	192.168.2.23	148.152.13.66
May 14, 2022 04:26:11.497606039 CEST	15186	23	192.168.2.23	66.26.45.41
May 14, 2022 04:26:11.497621059 CEST	15186	23	192.168.2.23	122.174.248.56
May 14, 2022 04:26:11.497628927 CEST	15186	23	192.168.2.23	189.35.77.87
May 14, 2022 04:26:11.497639894 CEST	15186	23	192.168.2.23	217.214.215.250
May 14, 2022 04:26:11.497648954 CEST	15186	23	192.168.2.23	242.83.4.149
May 14, 2022 04:26:11.497662067 CEST	15186	23	192.168.2.23	72.194.87.115
May 14, 2022 04:26:11.497664928 CEST	15186	23	192.168.2.23	244.175.60.3
May 14, 2022 04:26:11.497678995 CEST	15186	23	192.168.2.23	35.105.133.225
May 14, 2022 04:26:11.497692108 CEST	15186	23	192.168.2.23	125.173.110.38
May 14, 2022 04:26:11.497695923 CEST	15186	23	192.168.2.23	45.139.248.212
May 14, 2022 04:26:11.497697115 CEST	15186	23	192.168.2.23	120.222.54.24
May 14, 2022 04:26:11.497709990 CEST	15186	23	192.168.2.23	114.210.205.58
May 14, 2022 04:26:11.497718096 CEST	15186	23	192.168.2.23	246.178.50.234

System Behavior

Analysis Process: tU468ylYjx PID: 6224, Parent PID: 6123

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	/tmp/tU468ylYjx
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6226, Parent PID: 6224

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6323, Parent PID: 6226

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6324, Parent PID: 6226

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6327, Parent PID: 6324

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6340, Parent PID: 6327

General

Start time:	04:29:04
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6341, Parent PID: 6327

General

Start time:	04:29:04
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6328, Parent PID: 6324

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6330, Parent PID: 6324

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6227, Parent PID: 6224

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6228, Parent PID: 6224

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6232, Parent PID: 6228

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6333, Parent PID: 6232

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6334, Parent PID: 6232

General

Start time:	04:28:59
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6233, Parent PID: 6228

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: tU468ylYjx PID: 6235, Parent PID: 6228

General

Start time:	04:26:10
Start date:	14/05/2022
Path:	/tmp/tU468ylYjx
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report tU468ylYjx

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: tU468ylYjx PID: 6224, Parent PID: 6123

General

Analysis Process: tU468ylYjx PID: 6226, Parent PID: 6224

General

Analysis Process: tU468ylYjx PID: 6323, Parent PID: 6226

General

Analysis Process: tU468ylYjx PID: 6324, Parent PID: 6226

General

Analysis Process: tU468ylYjx PID: 6327, Parent PID: 6324

General

Analysis Process: tU468ylYjx PID: 6340, Parent PID: 6327

General

Analysis Process: tU468ylYjx PID: 6341, Parent PID: 6327

General

Analysis Process: tU468ylYjx PID: 6328, Parent PID: 6324

General

Analysis Process: tU468ylYjx PID: 6330, Parent PID: 6324

General

Analysis Process: tU468ylYjx PID: 6227, Parent PID: 6224

General

Linux Analysis Report
tU468ylYjx