Edit tour

Linux Analysis Report
SBNGwWC7Wb

Overview

General Information

Sample Name:	SBNGwWC7Wb
Analysis ID:	635393
MD5:	275c6e393dcacee32b9ddd8bb4ad8196
SHA1:	64a8605d5f69142a08385b359d3a6fd73120880d
SHA256:	bb0fea23f67c783d1b0d3f8f92e1fd91f1c5d85f7782bc135f0269057e2ab4c3
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample tries to kill multiple processes (SIGKILL)

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635393
Start date and time: 27/05/202220:58:41	2022-05-27 20:58:41 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SBNGwWC7Wb
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.spre.troj.evad.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/SBNGwWC7Wb
PID:	6224
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Infected
Standard Error:

Process Tree

system is lnxubuntu20

SBNGwWC7Wb (PID: 6224, Parent: 6122, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/SBNGwWC7Wb

SBNGwWC7Wb New Fork (PID: 6226, Parent: 6224)

SBNGwWC7Wb New Fork (PID: 6227, Parent: 6224)

SBNGwWC7Wb New Fork (PID: 6234, Parent: 6227)

SBNGwWC7Wb New Fork (PID: 6236, Parent: 6227)

SBNGwWC7Wb New Fork (PID: 6238, Parent: 6236)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SBNGwWC7Wb	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x9cf0:$s1: PROT_EXEC\|PROT_WRITE failed. 0x9d5f:$s2: $Id: UPX 0x9d10:$s3: $Info: This file is packed with the UPX executable packer

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SBNGwWC7Wb	Virustotal: Detection: 21%			Perma Link
Source: SBNGwWC7Wb	ReversingLabs: Detection: 25%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38050
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38054
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38056
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38062
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38064
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38066
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38072
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38076
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38078
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38082
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38088
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38104
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38120
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38174
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38218
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38242
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38260
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38266
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48176
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48188
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48214
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48250
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48312
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48330
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48350
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48368
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48420
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48458
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48524
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36132
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36152
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48594
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48626
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36222
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36246
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36318
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36328
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36382
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36474
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36526
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36546
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36588
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36662

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:39008 -> 45.95.169.139:9372

Source: /tmp/SBNGwWC7Wb (PID: 6234)

Socket: 0.0.0.0::23

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 63.71.236.63
Source: unknown	TCP traffic detected without corresponding DNS query: 114.11.7.63
Source: unknown	TCP traffic detected without corresponding DNS query: 139.141.47.182
Source: unknown	TCP traffic detected without corresponding DNS query: 95.124.131.63
Source: unknown	TCP traffic detected without corresponding DNS query: 213.120.200.66
Source: unknown	TCP traffic detected without corresponding DNS query: 166.43.190.18
Source: unknown	TCP traffic detected without corresponding DNS query: 38.53.114.202
Source: unknown	TCP traffic detected without corresponding DNS query: 11.232.197.117
Source: unknown	TCP traffic detected without corresponding DNS query: 96.168.229.181
Source: unknown	TCP traffic detected without corresponding DNS query: 137.11.225.229
Source: unknown	TCP traffic detected without corresponding DNS query: 23.32.199.1
Source: unknown	TCP traffic detected without corresponding DNS query: 242.149.47.248
Source: unknown	TCP traffic detected without corresponding DNS query: 252.85.7.122
Source: unknown	TCP traffic detected without corresponding DNS query: 47.234.140.22
Source: unknown	TCP traffic detected without corresponding DNS query: 173.94.178.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.139.163.1
Source: unknown	TCP traffic detected without corresponding DNS query: 43.120.4.1
Source: unknown	TCP traffic detected without corresponding DNS query: 195.141.98.39
Source: unknown	TCP traffic detected without corresponding DNS query: 44.155.181.185
Source: unknown	TCP traffic detected without corresponding DNS query: 248.164.162.83
Source: unknown	TCP traffic detected without corresponding DNS query: 251.88.185.91
Source: unknown	TCP traffic detected without corresponding DNS query: 119.86.111.240
Source: unknown	TCP traffic detected without corresponding DNS query: 251.53.225.130
Source: unknown	TCP traffic detected without corresponding DNS query: 96.65.139.164
Source: unknown	TCP traffic detected without corresponding DNS query: 102.51.242.244
Source: unknown	TCP traffic detected without corresponding DNS query: 249.0.64.154
Source: unknown	TCP traffic detected without corresponding DNS query: 21.27.160.173
Source: unknown	TCP traffic detected without corresponding DNS query: 143.72.214.224
Source: unknown	TCP traffic detected without corresponding DNS query: 139.247.185.140
Source: unknown	TCP traffic detected without corresponding DNS query: 3.79.46.235
Source: unknown	TCP traffic detected without corresponding DNS query: 129.249.147.96
Source: unknown	TCP traffic detected without corresponding DNS query: 123.212.21.227
Source: unknown	TCP traffic detected without corresponding DNS query: 90.240.50.9
Source: unknown	TCP traffic detected without corresponding DNS query: 60.106.246.77
Source: unknown	TCP traffic detected without corresponding DNS query: 8.168.135.183
Source: unknown	TCP traffic detected without corresponding DNS query: 143.70.171.206
Source: unknown	TCP traffic detected without corresponding DNS query: 80.204.106.229
Source: unknown	TCP traffic detected without corresponding DNS query: 3.63.126.132
Source: unknown	TCP traffic detected without corresponding DNS query: 159.6.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 161.83.96.126
Source: unknown	TCP traffic detected without corresponding DNS query: 140.65.55.67
Source: unknown	TCP traffic detected without corresponding DNS query: 23.150.236.123
Source: unknown	TCP traffic detected without corresponding DNS query: 28.116.95.220
Source: unknown	TCP traffic detected without corresponding DNS query: 53.3.91.208
Source: unknown	TCP traffic detected without corresponding DNS query: 196.192.149.130
Source: unknown	TCP traffic detected without corresponding DNS query: 141.71.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 132.41.22.128
Source: unknown	TCP traffic detected without corresponding DNS query: 11.178.47.154

Source: SBNGwWC7Wb

String found in binary or memory: http://upx.sf.net

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 658, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 772, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 789, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 904, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1320, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1389, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1463, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1465, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1576, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1809, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1888, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1890, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1983, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 2048, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 2062, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6042, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6187, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6226, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6238, result: successful

Source: LOAD without section mappings

Program segment: 0x100000

Source: SBNGwWC7Wb, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 658, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 772, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 789, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 904, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1320, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1389, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1463, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1465, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1576, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1809, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1888, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1890, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 1983, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 2048, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 2062, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6042, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6187, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6226, result: successful
Source: /tmp/SBNGwWC7Wb (PID: 6234)	SIGKILL sent: pid: 6238, result: successful

Source: classification engine

Classification label: mal68.spre.troj.evad.lin@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1582/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2033/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2275/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/3088/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1612/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1579/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1699/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1335/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1698/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2028/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1334/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1576/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2302/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/3236/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2025/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2146/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/910/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/6226/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/912/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/517/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/759/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2307/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/918/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/6240/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1594/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2285/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2281/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1349/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1623/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/761/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1622/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/884/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1983/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2038/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1344/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1465/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1586/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1463/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2156/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/800/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/6238/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/801/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1629/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1627/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1900/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/3021/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/491/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2294/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2050/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1877/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/772/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1633/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1599/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1632/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/774/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1477/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/654/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/896/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1476/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1872/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2048/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/655/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1475/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2289/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/656/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/777/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/657/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/4466/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/658/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/4467/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/4468/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/4469/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/419/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/936/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1639/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1638/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2208/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2180/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1809/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1494/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1890/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2063/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2062/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1888/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1886/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/420/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1489/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/785/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1642/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/788/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/667/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/789/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1648/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/6152/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/4495/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/6159/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/4498/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2078/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2077/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2074/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2195/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/670/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/2746/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/793/exe
Source: /tmp/SBNGwWC7Wb (PID: 6234)	File opened: /proc/1656/exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38050
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38054
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38056
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38062
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38064
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38066
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38072
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38076
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38078
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38080
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38082
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38088
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38104
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38110
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38112
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38120
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38174
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38218
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38242
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38260
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38266
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48176
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48188
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48214
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48250
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48270
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48312
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48330
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48350
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48368
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48420
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48458
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48480
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48502
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48524
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36132
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36152
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48594
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48626
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36222
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48652
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36246
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36318
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36328
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36382
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36402
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36474
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36514
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36526
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36546
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36588
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36636
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 36662

Source: /tmp/SBNGwWC7Wb (PID: 6224)

Queries kernel information via 'uname':

Source: SBNGwWC7Wb, 6224.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000e275f183.00000000a359d085.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mips
Source: SBNGwWC7Wb, 6224.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000e275f183.00000000a359d085.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000e275f183.00000000a359d085.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: SBNGwWC7Wb, 6224.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: SBNGwWC7Wb, 6224.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6226.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6227.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6236.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp, SBNGwWC7Wb, 6238.1.00000000d4b4c6bb.00000000a7343375.rw-.sdmp	Binary or memory string: r#x86_64/usr/bin/qemu-mips/tmp/SBNGwWC7WbSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SBNGwWC7Wb

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Service Stop
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SBNGwWC7Wb	22%	Virustotal		Browse
SBNGwWC7Wb	25%	ReversingLabs	Linux.Trojan.Mirai

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	SBNGwWC7Wb	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.232.31.217	unknown	United States	7029	WINDSTREAMUS	false
63.184.206.219	unknown	United States	1239	SPRINTLINKUS	false
246.132.172.181	unknown	Reserved	unknown	unknown	false
207.32.216.34	unknown	United States	14315	1GSERVERSUS	false
28.242.55.33	unknown	United States	7922	COMCAST-7922US	false
220.21.234.141	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
168.182.95.198	unknown	United States	18522	YUMBRANDSUS	false
45.25.228.59	unknown	United States	7018	ATT-INTERNET4US	false
98.19.126.234	unknown	United States	7029	WINDSTREAMUS	false
255.84.172.156	unknown	Reserved	unknown	unknown	false
46.172.163.178	unknown	Russian Federation	48044	CHITA-ON-LINE-ASRU	false
214.169.204.9	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
100.227.43.9	unknown	United States	21928	T-MOBILE-AS21928US	false
43.118.46.72	unknown	Japan	4249	LILLY-ASUS	false
50.181.162.86	unknown	United States	7922	COMCAST-7922US	false
22.246.2.216	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
67.96.186.6	unknown	United States	6977	IAC-ASUS	false
160.42.218.209	unknown	United States	1761	TDIR-CAPNETUS	false
247.238.59.67	unknown	Reserved	unknown	unknown	false
69.109.26.14	unknown	United States	7018	ATT-INTERNET4US	false
85.35.1.143	unknown	Italy	3269	ASN-IBSNAZIT	false
120.188.79.134	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
47.195.167.195	unknown	United States	5650	FRONTIER-FRTRUS	false
171.67.143.13	unknown	United States	32	STANFORDUS	false
255.56.220.95	unknown	Reserved	unknown	unknown	false
159.1.39.145	unknown	United States	4193	WA-STATE-GOVUS	false
113.247.214.242	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
252.251.81.4	unknown	Reserved	unknown	unknown	false
172.32.220.45	unknown	United States	21928	T-MOBILE-AS21928US	false
140.211.52.231	unknown	United States	3701	NERONETUS	false
220.14.193.199	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
150.199.109.75	unknown	United States	2572	MORENETUS	false
18.213.221.156	unknown	United States	14618	AMAZON-AESUS	false
246.131.18.105	unknown	Reserved	unknown	unknown	false
253.93.243.136	unknown	Reserved	unknown	unknown	false
28.77.143.29	unknown	United States	7922	COMCAST-7922US	false
217.113.75.78	unknown	Belgium	3491	BTN-ASNUS	false
145.83.208.94	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
201.111.171.232	unknown	Mexico	8151	UninetSAdeCVMX	false
98.89.244.96	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
117.55.179.250	unknown	Korea Republic of	9770	SPEEDONSTV-AS-KRLGHelloVisionCorpKR	false
176.177.113.98	unknown	France	5410	BOUYGTEL-ISPFR	false
112.213.114.218	unknown	Hong Kong	38197	SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	false
140.104.76.138	unknown	United States	2381	WISCNET1-ASUS	false
252.202.169.243	unknown	Reserved	unknown	unknown	false
47.178.236.161	unknown	United States	5650	FRONTIER-FRTRUS	false
137.41.141.14	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
120.87.46.212	unknown	China	17623	CNCGROUP-SZChinaUnicomShenzennetworkCN	false
12.69.83.54	unknown	United States	7018	ATT-INTERNET4US	false
92.38.145.170	unknown	Austria	199524	GCOREAT	false
122.4.122.51	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
172.203.97.144	unknown	United States	18747	IFX18747US	false
185.38.220.182	unknown	Poland	56523	AMELEKTRONIKPL	false
251.179.142.95	unknown	Reserved	unknown	unknown	false
248.231.10.213	unknown	Reserved	unknown	unknown	false
199.245.173.166	unknown	United States	10653	MVANETUS	false
170.174.174.89	unknown	United States	11685	HNBCOL-ASUS	false
189.105.20.33	unknown	Brazil	7738	TelemarNorteLesteSABR	false
43.121.222.110	unknown	Japan	4249	LILLY-ASUS	false
2.163.103.53	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
182.119.170.127	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
145.85.202.109	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
188.78.234.108	unknown	Spain	12479	UNI2-ASES	false
135.4.62.162	unknown	United States	10455	LUCENT-CIOUS	false
215.174.150.203	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
103.237.107.133	unknown	Australia	53580	MARKETOUS	false
66.229.157.194	unknown	United States	7922	COMCAST-7922US	false
180.237.67.211	unknown	Korea Republic of	9658	ETPI-IDS-AS-APEasternTelecomsPhilsIncPH	false
3.102.75.253	unknown	United States	16509	AMAZON-02US	false
98.233.96.179	unknown	United States	7922	COMCAST-7922US	false
168.108.37.33	unknown	United States	3597	FundacionInnovaTAR	false
142.31.146.109	unknown	Canada	3633	PROVINCE-OF-BRITISH-COLUMBIACA	false
33.236.64.10	unknown	United States	2686	ATGS-MMD-ASUS	false
114.241.91.184	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
134.244.73.128	unknown	United States	3479	PEACHNET-AS1US	false
149.176.228.12	unknown	Australia	87	INDIANA-ASUS	false
101.83.244.147	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
16.165.211.152	unknown	United States	unknown	unknown	false
142.80.215.163	unknown	Canada	5769	VIDEOTRONCA	false
57.62.64.136	unknown	Belgium	2686	ATGS-MMD-ASUS	false
123.69.92.169	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
72.152.89.199	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
98.107.192.151	unknown	United States	6167	CELLCO-PARTUS	false
40.69.202.47	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
31.91.224.64	unknown	United Kingdom	12576	EELtdGB	false
196.147.8.25	unknown	Egypt	36935	Vodafone-EG	false
220.138.127.69	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
211.226.202.75	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
17.8.137.173	unknown	United States	714	APPLE-ENGINEERINGUS	false
145.107.128.126	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
37.27.84.41	unknown	Iran (ISLAMIC Republic Of)	39232	UNINETAZ	false
91.215.129.120	unknown	Russian Federation	41082	URALTRANSCOM-ASUA	false
185.126.207.167	unknown	Italy	208920	ROCKETWAY-ASIT	false
215.228.201.148	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
212.22.245.89	unknown	Gibraltar	12798	VCW-ASGibraltarGI	false
65.180.56.237	unknown	United States	1239	SPRINTLINKUS	false
7.138.173.10	unknown	United States	3356	LEVEL3US	false
179.137.207.90	unknown	Brazil	26599	TELEFONICABRASILSABR	false
69.128.229.182	unknown	United States	4181	TDS-ASUS	false
149.160.93.171	unknown	United States	87	INDIANA-ASUS	false

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.940001959669167
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	SBNGwWC7Wb
File size:	42432
MD5:	275c6e393dcacee32b9ddd8bb4ad8196
SHA1:	64a8605d5f69142a08385b359d3a6fd73120880d
SHA256:	bb0fea23f67c783d1b0d3f8f92e1fd91f1c5d85f7782bc135f0269057e2ab4c3
SHA512:	55a1f799d6f70f71201ff6eadfb06b773f962217bb2138b276aaf823fe601bec605ad8098c485103cd8f6f9912f34b0c4b70768368110f32856cd2c572ca6754
SSDEEP:	768:kBngnCJnfsrVyYfvYdu80skETund52DdwyX2uxPvxfG6sNEx/vjE88VPwqJgGlzg:kBgnwUVy8v0u83TunTL8v4653jE88eOu
TLSH:	B513F277DE1991B6EE5992720ACCC6879C56A9D07B03D88BE825D7E02EC70163203AF1
File Content Preview:	.ELF.......................@...4.........4. ...(...........................................\.F.\.F.\....................UPX!.d.........p...p.......T.......?.E.h4...@b..) ..]....E..$u..s...x..b.bU.ZN.S.#.W).........7........i... .AT...Y....L...............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x109140
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xa484	0xa484	4.1326	0x5	R E	0x10000
LOAD	0xd5c	0x460d5c	0x460d5c	0x0	0x0	0.0000	0x6	RW	0x10000

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 20:59:29.559732914 CEST	42836	443	192.168.2.23	91.189.91.43
May 27, 2022 20:59:29.815722942 CEST	42516	80	192.168.2.23	109.202.202.202
May 27, 2022 20:59:31.904124022 CEST	59163	23	192.168.2.23	63.71.236.63
May 27, 2022 20:59:31.904172897 CEST	59163	23	192.168.2.23	114.11.7.63
May 27, 2022 20:59:31.904171944 CEST	59163	23	192.168.2.23	139.141.47.182
May 27, 2022 20:59:31.904185057 CEST	59163	23	192.168.2.23	95.124.131.63
May 27, 2022 20:59:31.904218912 CEST	59163	23	192.168.2.23	213.120.200.66
May 27, 2022 20:59:31.904223919 CEST	59163	23	192.168.2.23	166.43.190.18
May 27, 2022 20:59:31.904226065 CEST	59163	23	192.168.2.23	38.53.114.202
May 27, 2022 20:59:31.904226065 CEST	59163	23	192.168.2.23	11.232.197.117
May 27, 2022 20:59:31.904238939 CEST	59163	23	192.168.2.23	96.168.229.181
May 27, 2022 20:59:31.904252052 CEST	59163	23	192.168.2.23	137.11.225.229
May 27, 2022 20:59:31.904257059 CEST	59163	23	192.168.2.23	23.32.199.1
May 27, 2022 20:59:31.904257059 CEST	59163	23	192.168.2.23	242.149.47.248
May 27, 2022 20:59:31.904257059 CEST	59163	23	192.168.2.23	252.85.7.122
May 27, 2022 20:59:31.904258013 CEST	59163	23	192.168.2.23	47.234.140.22
May 27, 2022 20:59:31.904258013 CEST	59163	23	192.168.2.23	173.94.178.226
May 27, 2022 20:59:31.904266119 CEST	59163	23	192.168.2.23	52.139.163.1
May 27, 2022 20:59:31.904267073 CEST	59163	23	192.168.2.23	43.120.4.1
May 27, 2022 20:59:31.904290915 CEST	59163	23	192.168.2.23	195.141.98.39
May 27, 2022 20:59:31.904721975 CEST	59163	23	192.168.2.23	44.155.181.185
May 27, 2022 20:59:31.904725075 CEST	59163	23	192.168.2.23	248.164.162.83
May 27, 2022 20:59:31.904769897 CEST	59163	23	192.168.2.23	251.88.185.91
May 27, 2022 20:59:31.904773951 CEST	59163	23	192.168.2.23	119.86.111.240
May 27, 2022 20:59:31.904767036 CEST	59163	23	192.168.2.23	251.53.225.130
May 27, 2022 20:59:31.904774904 CEST	59163	23	192.168.2.23	96.65.139.164
May 27, 2022 20:59:31.904776096 CEST	59163	23	192.168.2.23	102.51.242.244
May 27, 2022 20:59:31.904776096 CEST	59163	23	192.168.2.23	249.0.64.154
May 27, 2022 20:59:31.904779911 CEST	59163	23	192.168.2.23	21.27.160.173
May 27, 2022 20:59:31.904786110 CEST	59163	23	192.168.2.23	143.72.214.224
May 27, 2022 20:59:31.904788971 CEST	59163	23	192.168.2.23	139.247.185.140
May 27, 2022 20:59:31.904789925 CEST	59163	23	192.168.2.23	3.79.46.235
May 27, 2022 20:59:31.904793024 CEST	59163	23	192.168.2.23	129.249.147.96
May 27, 2022 20:59:31.904793978 CEST	59163	23	192.168.2.23	123.212.21.227
May 27, 2022 20:59:31.904797077 CEST	59163	23	192.168.2.23	90.240.50.9
May 27, 2022 20:59:31.904798985 CEST	59163	23	192.168.2.23	60.106.246.77
May 27, 2022 20:59:31.904799938 CEST	59163	23	192.168.2.23	8.168.135.183
May 27, 2022 20:59:31.904800892 CEST	59163	23	192.168.2.23	143.70.171.206
May 27, 2022 20:59:31.904802084 CEST	59163	23	192.168.2.23	80.204.106.229
May 27, 2022 20:59:31.904804945 CEST	59163	23	192.168.2.23	3.63.126.132
May 27, 2022 20:59:31.904814005 CEST	59163	23	192.168.2.23	159.6.169.8
May 27, 2022 20:59:31.904822111 CEST	59163	23	192.168.2.23	161.83.96.126
May 27, 2022 20:59:31.904827118 CEST	59163	23	192.168.2.23	140.65.55.67
May 27, 2022 20:59:31.904828072 CEST	59163	23	192.168.2.23	23.150.236.123
May 27, 2022 20:59:31.904824018 CEST	59163	23	192.168.2.23	28.116.95.220
May 27, 2022 20:59:31.904834986 CEST	59163	23	192.168.2.23	53.3.91.208
May 27, 2022 20:59:31.904838085 CEST	59163	23	192.168.2.23	196.192.149.130
May 27, 2022 20:59:31.904839039 CEST	59163	23	192.168.2.23	141.71.20.212
May 27, 2022 20:59:31.904839993 CEST	59163	23	192.168.2.23	132.41.22.128
May 27, 2022 20:59:31.904839993 CEST	59163	23	192.168.2.23	11.178.47.154
May 27, 2022 20:59:31.904848099 CEST	59163	23	192.168.2.23	140.168.223.167
May 27, 2022 20:59:31.904853106 CEST	59163	23	192.168.2.23	252.22.171.143
May 27, 2022 20:59:31.904854059 CEST	59163	23	192.168.2.23	74.33.244.230
May 27, 2022 20:59:31.904884100 CEST	59163	23	192.168.2.23	200.107.112.46
May 27, 2022 20:59:31.904884100 CEST	59163	23	192.168.2.23	117.248.64.225
May 27, 2022 20:59:31.904885054 CEST	59163	23	192.168.2.23	218.9.248.9
May 27, 2022 20:59:31.904885054 CEST	59163	23	192.168.2.23	254.54.180.98
May 27, 2022 20:59:31.904887915 CEST	59163	23	192.168.2.23	103.5.164.28
May 27, 2022 20:59:31.904889107 CEST	59163	23	192.168.2.23	202.185.34.249
May 27, 2022 20:59:31.904898882 CEST	59163	23	192.168.2.23	74.43.146.15
May 27, 2022 20:59:31.904902935 CEST	59163	23	192.168.2.23	51.30.207.35
May 27, 2022 20:59:31.904905081 CEST	59163	23	192.168.2.23	130.186.208.227
May 27, 2022 20:59:31.904906988 CEST	59163	23	192.168.2.23	163.194.144.223
May 27, 2022 20:59:31.904906034 CEST	59163	23	192.168.2.23	65.151.197.186
May 27, 2022 20:59:31.904912949 CEST	59163	23	192.168.2.23	42.10.28.214
May 27, 2022 20:59:31.904913902 CEST	59163	23	192.168.2.23	15.193.58.107
May 27, 2022 20:59:31.904916048 CEST	59163	23	192.168.2.23	36.188.49.158
May 27, 2022 20:59:31.904925108 CEST	59163	23	192.168.2.23	17.167.67.237
May 27, 2022 20:59:31.904926062 CEST	59163	23	192.168.2.23	125.195.135.148
May 27, 2022 20:59:31.904928923 CEST	59163	23	192.168.2.23	177.52.26.48
May 27, 2022 20:59:31.904932976 CEST	59163	23	192.168.2.23	192.249.143.184
May 27, 2022 20:59:31.904934883 CEST	59163	23	192.168.2.23	172.85.122.86
May 27, 2022 20:59:31.904937029 CEST	59163	23	192.168.2.23	71.1.79.62
May 27, 2022 20:59:31.904939890 CEST	59163	23	192.168.2.23	19.184.3.37
May 27, 2022 20:59:31.904942989 CEST	59163	23	192.168.2.23	58.255.35.252
May 27, 2022 20:59:31.904943943 CEST	59163	23	192.168.2.23	61.183.79.215
May 27, 2022 20:59:31.904958963 CEST	59163	23	192.168.2.23	87.150.83.200
May 27, 2022 20:59:31.904969931 CEST	59163	23	192.168.2.23	194.84.237.61
May 27, 2022 20:59:31.904969931 CEST	59163	23	192.168.2.23	56.47.127.149
May 27, 2022 20:59:31.904983044 CEST	59163	23	192.168.2.23	182.156.255.199
May 27, 2022 20:59:31.904985905 CEST	59163	23	192.168.2.23	16.183.21.54
May 27, 2022 20:59:31.904989004 CEST	59163	23	192.168.2.23	187.230.138.114
May 27, 2022 20:59:31.904995918 CEST	59163	23	192.168.2.23	160.185.116.207
May 27, 2022 20:59:31.905004978 CEST	59163	23	192.168.2.23	31.91.126.33
May 27, 2022 20:59:31.905010939 CEST	59163	23	192.168.2.23	189.135.10.226
May 27, 2022 20:59:31.905013084 CEST	59163	23	192.168.2.23	174.56.120.205
May 27, 2022 20:59:31.905025959 CEST	59163	23	192.168.2.23	40.106.209.63
May 27, 2022 20:59:31.905038118 CEST	59163	23	192.168.2.23	51.138.158.248
May 27, 2022 20:59:31.905047894 CEST	59163	23	192.168.2.23	74.204.236.68
May 27, 2022 20:59:31.905052900 CEST	59163	23	192.168.2.23	86.108.114.106
May 27, 2022 20:59:31.905055046 CEST	59163	23	192.168.2.23	101.92.75.123
May 27, 2022 20:59:31.905076981 CEST	59163	23	192.168.2.23	128.74.83.40
May 27, 2022 20:59:31.905086994 CEST	59163	23	192.168.2.23	120.132.2.85
May 27, 2022 20:59:31.905090094 CEST	59163	23	192.168.2.23	104.114.13.58
May 27, 2022 20:59:31.905164957 CEST	59163	23	192.168.2.23	44.178.251.226
May 27, 2022 20:59:31.905179024 CEST	59163	23	192.168.2.23	137.52.223.250
May 27, 2022 20:59:31.905214071 CEST	59163	23	192.168.2.23	131.114.237.214
May 27, 2022 20:59:31.905575037 CEST	59163	23	192.168.2.23	219.162.93.148
May 27, 2022 20:59:31.905594110 CEST	59163	23	192.168.2.23	26.49.180.6
May 27, 2022 20:59:31.905601978 CEST	59163	23	192.168.2.23	210.107.167.197

System Behavior

Analysis Process: SBNGwWC7Wb PID: 6224, Parent PID: 6122

General

Start time:	20:59:30
Start date:	27/05/2022
Path:	/tmp/SBNGwWC7Wb
Arguments:	/tmp/SBNGwWC7Wb
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SBNGwWC7Wb PID: 6226, Parent PID: 6224

General

Start time:	20:59:30
Start date:	27/05/2022
Path:	/tmp/SBNGwWC7Wb
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SBNGwWC7Wb PID: 6227, Parent PID: 6224

General

Start time:	20:59:30
Start date:	27/05/2022
Path:	/tmp/SBNGwWC7Wb
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SBNGwWC7Wb PID: 6234, Parent PID: 6227

General

Start time:	20:59:30
Start date:	27/05/2022
Path:	/tmp/SBNGwWC7Wb
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SBNGwWC7Wb PID: 6236, Parent PID: 6227

General

Start time:	20:59:30
Start date:	27/05/2022
Path:	/tmp/SBNGwWC7Wb
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SBNGwWC7Wb PID: 6238, Parent PID: 6236

General

Start time:	20:59:30
Start date:	27/05/2022
Path:	/tmp/SBNGwWC7Wb
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SBNGwWC7Wb

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: SBNGwWC7Wb PID: 6224, Parent PID: 6122

General

Analysis Process: SBNGwWC7Wb PID: 6226, Parent PID: 6224

General

Analysis Process: SBNGwWC7Wb PID: 6227, Parent PID: 6224

General

Analysis Process: SBNGwWC7Wb PID: 6234, Parent PID: 6227

General

Analysis Process: SBNGwWC7Wb PID: 6236, Parent PID: 6227

General

Analysis Process: SBNGwWC7Wb PID: 6238, Parent PID: 6236

General

Linux Analysis Report
SBNGwWC7Wb