Edit tour

Linux Analysis Report
HAEskA4vLV

Overview

General Information

Sample Name:	HAEskA4vLV
Analysis ID:	635398
MD5:	445ea153f39e7868760107609a343b28
SHA1:	1ab794165df55bdd9a4a6d1e7023b550fa29e277
SHA256:	3c9c1a3e7f02d9a27f946c3edc5c45554e8884262833b6c648a98880070ac017
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample tries to kill multiple processes (SIGKILL)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635398
Start date and time: 27/05/202221:03:12	2022-05-27 21:03:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	HAEskA4vLV
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.spre.troj.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/HAEskA4vLV
PID:	6233
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Infected
Standard Error:

Process Tree

system is lnxubuntu20

HAEskA4vLV (PID: 6233, Parent: 6135, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/HAEskA4vLV

HAEskA4vLV New Fork (PID: 6235, Parent: 6233)

HAEskA4vLV New Fork (PID: 6236, Parent: 6233)

HAEskA4vLV New Fork (PID: 6240, Parent: 6236)

HAEskA4vLV New Fork (PID: 6242, Parent: 6236)

HAEskA4vLV New Fork (PID: 6244, Parent: 6242)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: HAEskA4vLV	Virustotal: Detection: 36%			Perma Link
Source: HAEskA4vLV	ReversingLabs: Detection: 35%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39316
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39336
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39358
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39374
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39400
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39410
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39432
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39452
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39484
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39522
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39574
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39640
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39646
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55832
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55840
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55866
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55878
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55930
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55966
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55988
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56000
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56014
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56024
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56038
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56050
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56062
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39644
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39670
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39788
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39796
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39800
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39812
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39826
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39834
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39842
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39852
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39872

Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:39008 -> 45.95.169.139:9372

Source: /tmp/HAEskA4vLV (PID: 6240)

Socket: 0.0.0.0::23

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 123.43.150.226
Source: unknown	TCP traffic detected without corresponding DNS query: 161.68.125.226
Source: unknown	TCP traffic detected without corresponding DNS query: 125.109.2.184
Source: unknown	TCP traffic detected without corresponding DNS query: 147.72.218.64
Source: unknown	TCP traffic detected without corresponding DNS query: 153.136.79.200
Source: unknown	TCP traffic detected without corresponding DNS query: 175.51.249.226
Source: unknown	TCP traffic detected without corresponding DNS query: 244.234.189.116
Source: unknown	TCP traffic detected without corresponding DNS query: 168.89.84.214
Source: unknown	TCP traffic detected without corresponding DNS query: 37.102.70.142
Source: unknown	TCP traffic detected without corresponding DNS query: 164.54.60.38
Source: unknown	TCP traffic detected without corresponding DNS query: 1.162.25.61
Source: unknown	TCP traffic detected without corresponding DNS query: 30.42.105.152
Source: unknown	TCP traffic detected without corresponding DNS query: 28.32.112.98
Source: unknown	TCP traffic detected without corresponding DNS query: 217.75.12.96
Source: unknown	TCP traffic detected without corresponding DNS query: 162.26.234.95
Source: unknown	TCP traffic detected without corresponding DNS query: 88.35.159.179
Source: unknown	TCP traffic detected without corresponding DNS query: 34.114.156.77
Source: unknown	TCP traffic detected without corresponding DNS query: 37.41.27.250
Source: unknown	TCP traffic detected without corresponding DNS query: 150.179.145.197
Source: unknown	TCP traffic detected without corresponding DNS query: 157.123.169.144
Source: unknown	TCP traffic detected without corresponding DNS query: 56.128.239.81
Source: unknown	TCP traffic detected without corresponding DNS query: 251.68.14.81
Source: unknown	TCP traffic detected without corresponding DNS query: 125.58.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 92.153.105.152
Source: unknown	TCP traffic detected without corresponding DNS query: 59.196.92.105
Source: unknown	TCP traffic detected without corresponding DNS query: 135.76.38.36
Source: unknown	TCP traffic detected without corresponding DNS query: 249.81.154.45
Source: unknown	TCP traffic detected without corresponding DNS query: 117.23.90.49
Source: unknown	TCP traffic detected without corresponding DNS query: 133.228.234.160
Source: unknown	TCP traffic detected without corresponding DNS query: 75.165.246.91
Source: unknown	TCP traffic detected without corresponding DNS query: 27.19.47.184
Source: unknown	TCP traffic detected without corresponding DNS query: 157.206.9.121
Source: unknown	TCP traffic detected without corresponding DNS query: 64.40.59.241
Source: unknown	TCP traffic detected without corresponding DNS query: 113.98.35.245
Source: unknown	TCP traffic detected without corresponding DNS query: 212.22.5.3
Source: unknown	TCP traffic detected without corresponding DNS query: 124.168.38.125
Source: unknown	TCP traffic detected without corresponding DNS query: 147.26.117.6
Source: unknown	TCP traffic detected without corresponding DNS query: 7.211.199.25
Source: unknown	TCP traffic detected without corresponding DNS query: 80.251.228.219
Source: unknown	TCP traffic detected without corresponding DNS query: 120.154.25.31
Source: unknown	TCP traffic detected without corresponding DNS query: 218.192.13.212
Source: unknown	TCP traffic detected without corresponding DNS query: 22.14.73.178
Source: unknown	TCP traffic detected without corresponding DNS query: 114.44.189.102
Source: unknown	TCP traffic detected without corresponding DNS query: 221.144.154.6
Source: unknown	TCP traffic detected without corresponding DNS query: 35.73.108.210
Source: unknown	TCP traffic detected without corresponding DNS query: 200.168.53.146
Source: unknown	TCP traffic detected without corresponding DNS query: 24.170.236.217
Source: unknown	TCP traffic detected without corresponding DNS query: 220.36.79.120

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 658, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 772, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 789, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 904, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1320, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1389, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1463, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1465, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1576, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1809, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1888, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1890, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1983, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 2048, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 2062, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 6197, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 6235, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 6244, result: successful

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 658, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 720, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 759, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 772, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 789, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 800, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 904, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1320, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1334, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1335, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1389, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1463, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1465, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1576, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1809, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1872, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1888, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1890, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 1983, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 2048, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 2062, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 6197, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 6235, result: successful
Source: /tmp/HAEskA4vLV (PID: 6240)	SIGKILL sent: pid: 6244, result: successful

Source: classification engine

Classification label: mal64.spre.troj.lin@0/0@0/0

Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/6197/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/6198/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/6235/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1582/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2033/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2275/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/3088/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1612/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1579/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1699/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1335/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1698/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2028/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1334/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1576/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2302/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/3236/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2025/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2146/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/910/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/912/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/517/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/759/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2307/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/918/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/6244/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/6125/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1594/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2285/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2281/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1349/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1623/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/761/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1622/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/884/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1983/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2038/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1344/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1465/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1586/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1463/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2156/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/800/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/801/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1629/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1627/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1900/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4471/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4472/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4473/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4474/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/3021/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/491/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2294/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2050/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1877/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/772/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1633/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1599/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1632/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/774/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1477/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/654/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/896/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1476/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1872/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2048/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/655/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1475/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2289/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/656/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/777/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/657/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/658/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4346/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4347/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4348/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/419/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/936/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1639/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4349/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1638/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4504/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2208/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2180/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1809/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1494/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1890/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2063/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2062/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1888/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1886/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/420/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1489/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/785/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1642/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/788/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/667/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/789/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/1648/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/4495/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2078/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2077/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2074/exe
Source: /tmp/HAEskA4vLV (PID: 6240)	File opened: /proc/2195/exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39316
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39336
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39358
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39374
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39384
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39400
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39410
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39422
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39432
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39444
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39452
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39484
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39490
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39500
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39512
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39522
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39574
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39612
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39618
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39630
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39640
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39646
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55832
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55840
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55866
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55878
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55910
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55930
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55950
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55966
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55988
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56000
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56014
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56024
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56038
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56050
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56062
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56074
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56126
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56136
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 56232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39644
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39654
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39670
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39676
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39704
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39710
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39720
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39726
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39734
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39740
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39746
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39776
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39788
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39796
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39800
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39812
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39826
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39834
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39842
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39852
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39872

Source: /tmp/HAEskA4vLV (PID: 6233)

Queries kernel information via 'uname':

Source: HAEskA4vLV, 6233.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6235.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6236.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6242.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6244.1.0000000036321392.00000000d8f33923.rw-.sdmp	Binary or memory string: Ex86_64/usr/bin/qemu-m68k/tmp/HAEskA4vLVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/HAEskA4vLV
Source: HAEskA4vLV, 6233.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6235.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6236.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6242.1.0000000036321392.00000000d8f33923.rw-.sdmp, HAEskA4vLV, 6244.1.0000000036321392.00000000d8f33923.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: HAEskA4vLV, 6233.1.0000000013d2ed51.00000000c3b4415c.rw-.sdmp, HAEskA4vLV, 6235.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp, HAEskA4vLV, 6236.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp, HAEskA4vLV, 6242.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp, HAEskA4vLV, 6244.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp	Binary or memory string: -V!/etc/qemu-binfmt/m68k
Source: HAEskA4vLV, 6233.1.0000000013d2ed51.00000000c3b4415c.rw-.sdmp, HAEskA4vLV, 6235.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp, HAEskA4vLV, 6236.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp, HAEskA4vLV, 6242.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp, HAEskA4vLV, 6244.1.0000000013d2ed51.0000000015bd653d.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Service Stop
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HAEskA4vLV	37%	Virustotal		Browse
HAEskA4vLV	35%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
90.97.170.84	unknown	France	28708	ORANGEFR-PORTAL-ASDSImutualizedinternetaccessFR	false
169.5.24.89	unknown	United States	203	CENTURYLINK-LEGACY-LVLT-203US	false
194.252.255.29	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
179.12.175.80	unknown	Colombia	27831	ColombiaMovilCO	false
31.107.23.184	unknown	United Kingdom	12576	EELtdGB	false
46.125.185.237	unknown	Austria	8412	TMARennweg97-99AT	false
30.35.136.86	unknown	United States	7922	COMCAST-7922US	false
217.179.192.222	unknown	United Kingdom	5503	RMIFLGB	false
94.122.216.129	unknown	Turkey	12978	DOGAN-ONLINETR	false
135.76.111.146	unknown	United States	18676	AVAYAUS	false
128.90.30.179	unknown	United States	22363	PHMGMT-AS1US	false
195.10.52.226	unknown	United Kingdom	1273	CWVodafoneGroupPLCEU	false
106.46.124.226	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
205.247.222.200	unknown	United States	3257	GTT-BACKBONEGTTDE	false
60.51.49.48	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
191.65.185.153	unknown	Colombia	26611	COMCELSACO	false
106.76.2.64	unknown	India	45271	ICLNET-AS-APIdeaCellularLimitedIN	false
246.57.16.74	unknown	Reserved	unknown	unknown	false
64.90.13.22	unknown	United States	7029	WINDSTREAMUS	false
223.68.161.195	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
93.84.101.62	unknown	Belarus	6697	BELPAK-ASBELPAKBY	false
67.127.118.193	unknown	United States	7018	ATT-INTERNET4US	false
255.162.56.216	unknown	Reserved	unknown	unknown	false
32.123.32.26	unknown	United States	7018	ATT-INTERNET4US	false
78.3.131.236	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
80.137.246.164	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
201.252.24.249	unknown	Argentina	7303	TelecomArgentinaSAAR	false
98.98.237.205	unknown	United States	7018	ATT-INTERNET4US	false
67.48.33.85	unknown	United States	11427	TWC-11427-TEXASUS	false
198.191.91.196	unknown	United States	2152	CSUNET-NWUS	false
33.111.186.224	unknown	United States	2686	ATGS-MMD-ASUS	false
192.49.201.169	unknown	Finland	375	TIETOTIE-ASPOBox38FI-00441HelsinkiFinlandEU	false
144.152.175.199	unknown	United States	58541	CHINATELECOM-SHANDONG-QINGDAO-IDCQingdao266000CN	false
83.138.10.92	unknown	Ireland	30900	WEBWORLD-AStaWebWorldIrelandIE	false
126.26.13.195	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
34.7.3.33	unknown	United States	2686	ATGS-MMD-ASUS	false
181.48.255.124	unknown	Colombia	14080	TelmexColombiaSACO	false
73.215.212.83	unknown	United States	7922	COMCAST-7922US	false
106.72.235.235	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
164.151.240.108	unknown	South Africa	37130	SITA-ASZA	false
171.60.217.79	unknown	India	24560	AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServices	false
49.159.200.168	unknown	Taiwan; Republic of China (ROC)	24164	UBBNET-AS-TWUNIONBROADBANDNETWORKTW	false
217.198.143.142	unknown	Germany	34309	LINK11Link11GmbHDE	false
189.221.199.41	unknown	Mexico	28509	CablemasTelecomunicacionesSAdeCVMX	false
125.251.7.21	unknown	Korea Republic of	38394	GOESN-AS-KRGyeonggidoSeongnamOfficeofEducationKR	false
61.73.160.163	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
78.73.118.63	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
107.184.217.188	unknown	United States	20001	TWC-20001-PACWESTUS	false
202.139.135.57	unknown	Australia	7474	OPTUSCOM-AS01-AUSingTelOptusPtyLtdAU	false
219.86.3.214	unknown	Taiwan; Republic of China (ROC)	9924	TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi	false
110.123.21.120	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
30.227.233.209	unknown	United States	7922	COMCAST-7922US	false
182.246.241.9	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
29.191.94.89	unknown	United States	7922	COMCAST-7922US	false
174.85.82.247	unknown	United States	20115	CHARTER-20115US	false
39.63.138.0	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
74.103.139.189	unknown	United States	701	UUNETUS	false
114.237.34.128	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
105.94.59.158	unknown	Egypt	36992	ETISALAT-MISREG	false
124.31.169.22	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
88.149.62.148	unknown	Iceland	12969	VODAFONE_ICELANDIS	false
12.198.36.119	unknown	United States	7018	ATT-INTERNET4US	false
142.116.146.84	unknown	Canada	577	BACOMCA	false
4.146.131.214	unknown	United States	3356	LEVEL3US	false
241.232.37.7	unknown	Reserved	unknown	unknown	false
64.156.138.117	unknown	United States	3356	LEVEL3US	false
114.53.79.211	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
154.234.45.165	unknown	Cote D'ivoire	36974	AFNET-ASCI	false
144.147.142.234	unknown	United States	1460	DNIC-ASBLK-01458-01460US	false
240.52.83.224	unknown	Reserved	unknown	unknown	false
156.70.138.52	unknown	United States	297	AS297US	false
147.254.126.164	unknown	United States	1213	HEANETIE	false
183.153.123.153	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
53.133.121.204	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
157.162.143.89	unknown	Germany	22192	SSHENETUS	false
192.77.104.107	unknown	United States	427	AFCONC-BLOCK1-ASUS	false
98.209.182.234	unknown	United States	7922	COMCAST-7922US	false
94.35.173.140	unknown	Italy	8612	TISCALI-IT	false
167.75.59.236	unknown	United States	3356	LEVEL3US	false
109.76.80.220	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
19.183.164.159	unknown	United States	3	MIT-GATEWAYSUS	false
27.53.120.240	unknown	Taiwan; Republic of China (ROC)	9674	FET-TWFarEastToneTelecommunicationCoLtdTW	false
53.231.152.118	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
54.139.242.174	unknown	United States	14618	AMAZON-AESUS	false
202.39.229.207	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
18.141.1.158	unknown	United States	16509	AMAZON-02US	false
243.236.181.133	unknown	Reserved	unknown	unknown	false
167.61.71.154	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
108.144.104.131	unknown	United States	16509	AMAZON-02US	false
100.83.140.204	unknown	Reserved	701	UUNETUS	false
245.118.65.228	unknown	Reserved	unknown	unknown	false
38.136.33.37	unknown	United States	174	COGENT-174US	false
81.76.63.240	unknown	United Kingdom	3269	ASN-IBSNAZIT	false
85.127.123.174	unknown	Austria	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
211.109.228.6	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
214.178.86.224	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
193.137.26.80	unknown	Portugal	1930	RCCNFundacaoparaaCienciaeaTecnologiaIPPT	false
15.172.248.37	unknown	United States	71	HP-INTERNET-ASUS	false
212.170.182.246	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
65.26.228.228	unknown	United States	10796	TWC-10796-MIDWESTUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.238586795542201
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	HAEskA4vLV
File size:	93480
MD5:	445ea153f39e7868760107609a343b28
SHA1:	1ab794165df55bdd9a4a6d1e7023b550fa29e277
SHA256:	3c9c1a3e7f02d9a27f946c3edc5c45554e8884262833b6c648a98880070ac017
SHA512:	2f52101989fc5e380669d1ed61d4deb71527b1d9c192994abcc0b0a0284a1463d8502459f7be5eacdac0bb162cd927b8002a1214595dc93e8504066a5ef5d059
SSDEEP:	1536:Mj+9mKLMisFvCuyMydl91jkjgAnsuouXqz88hZZro6SBvAhGDZ9agQk:fL4iaCfMydl91jCsupXqztZro6mN9hQk
TLSH:	CC933B97F800EDBEF809D7774453490AB230B7A04E921A727257396BEC7A1E4193BF46
File Content Preview:	.ELF.......................D...4..k......4. ...(......................g...g....... .......g...............f....... .dt.Q............................NV..a....da...J\N^NuNV..J9...Xf>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy..g.N.X........XN^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	93080
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x14a86	0x0	0x6	AX	4
.fini	PROGBITS	0x80014b2e	0x14b2e	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80014b3c	0x14b3c	0x1c5f	0x0	0x2	A	2
.ctors	PROGBITS	0x800187a0	0x167a0	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x800187a8	0x167a8	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x800187b4	0x167b4	0x3a4	0x0	0x3	WA	4
.bss	NOBITS	0x80018b58	0x16b58	0x62cc	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x16b58	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x1679b	0x1679b	4.1174	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x167a0	0x800187a0	0x800187a0	0x3b8	0x6684	1.6081	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 21:04:00.937935114 CEST	42516	80	192.168.2.23	109.202.202.202
May 27, 2022 21:04:00.937943935 CEST	42836	443	192.168.2.23	91.189.91.43
May 27, 2022 21:04:04.233452082 CEST	21477	23	192.168.2.23	123.43.150.226
May 27, 2022 21:04:04.233500957 CEST	21477	23	192.168.2.23	161.68.125.226
May 27, 2022 21:04:04.233517885 CEST	21477	23	192.168.2.23	125.109.2.184
May 27, 2022 21:04:04.233520985 CEST	21477	23	192.168.2.23	147.72.218.64
May 27, 2022 21:04:04.233527899 CEST	21477	23	192.168.2.23	153.136.79.200
May 27, 2022 21:04:04.233529091 CEST	21477	23	192.168.2.23	175.51.249.226
May 27, 2022 21:04:04.233558893 CEST	21477	23	192.168.2.23	244.234.189.116
May 27, 2022 21:04:04.233575106 CEST	21477	23	192.168.2.23	168.89.84.214
May 27, 2022 21:04:04.233583927 CEST	21477	23	192.168.2.23	37.102.70.142
May 27, 2022 21:04:04.233587027 CEST	21477	23	192.168.2.23	164.54.60.38
May 27, 2022 21:04:04.233608007 CEST	21477	23	192.168.2.23	1.162.25.61
May 27, 2022 21:04:04.233627081 CEST	21477	23	192.168.2.23	30.42.105.152
May 27, 2022 21:04:04.233666897 CEST	21477	23	192.168.2.23	28.32.112.98
May 27, 2022 21:04:04.233668089 CEST	21477	23	192.168.2.23	217.75.12.96
May 27, 2022 21:04:04.233666897 CEST	21477	23	192.168.2.23	162.26.234.95
May 27, 2022 21:04:04.233673096 CEST	21477	23	192.168.2.23	88.35.159.179
May 27, 2022 21:04:04.233688116 CEST	21477	23	192.168.2.23	34.114.156.77
May 27, 2022 21:04:04.233688116 CEST	21477	23	192.168.2.23	37.41.27.250
May 27, 2022 21:04:04.233690023 CEST	21477	23	192.168.2.23	150.179.145.197
May 27, 2022 21:04:04.233689070 CEST	21477	23	192.168.2.23	157.123.169.144
May 27, 2022 21:04:04.233695984 CEST	21477	23	192.168.2.23	56.128.239.81
May 27, 2022 21:04:04.233696938 CEST	21477	23	192.168.2.23	251.68.14.81
May 27, 2022 21:04:04.233699083 CEST	21477	23	192.168.2.23	125.58.65.238
May 27, 2022 21:04:04.233702898 CEST	21477	23	192.168.2.23	92.153.105.152
May 27, 2022 21:04:04.233707905 CEST	21477	23	192.168.2.23	59.196.92.105
May 27, 2022 21:04:04.233710051 CEST	21477	23	192.168.2.23	135.76.38.36
May 27, 2022 21:04:04.233711958 CEST	21477	23	192.168.2.23	249.81.154.45
May 27, 2022 21:04:04.233722925 CEST	21477	23	192.168.2.23	117.23.90.49
May 27, 2022 21:04:04.233726978 CEST	21477	23	192.168.2.23	133.228.234.160
May 27, 2022 21:04:04.233730078 CEST	21477	23	192.168.2.23	75.165.246.91
May 27, 2022 21:04:04.233751059 CEST	21477	23	192.168.2.23	27.19.47.184
May 27, 2022 21:04:04.233793974 CEST	21477	23	192.168.2.23	157.206.9.121
May 27, 2022 21:04:04.233797073 CEST	21477	23	192.168.2.23	64.40.59.241
May 27, 2022 21:04:04.233798981 CEST	21477	23	192.168.2.23	113.98.35.245
May 27, 2022 21:04:04.233803034 CEST	21477	23	192.168.2.23	212.22.5.3
May 27, 2022 21:04:04.233804941 CEST	21477	23	192.168.2.23	124.168.38.125
May 27, 2022 21:04:04.233810902 CEST	21477	23	192.168.2.23	147.26.117.6
May 27, 2022 21:04:04.233828068 CEST	21477	23	192.168.2.23	7.211.199.25
May 27, 2022 21:04:04.233829021 CEST	21477	23	192.168.2.23	80.251.228.219
May 27, 2022 21:04:04.233830929 CEST	21477	23	192.168.2.23	120.154.25.31
May 27, 2022 21:04:04.233830929 CEST	21477	23	192.168.2.23	218.192.13.212
May 27, 2022 21:04:04.233829975 CEST	21477	23	192.168.2.23	22.14.73.178
May 27, 2022 21:04:04.233831882 CEST	21477	23	192.168.2.23	114.44.189.102
May 27, 2022 21:04:04.233838081 CEST	21477	23	192.168.2.23	221.144.154.6
May 27, 2022 21:04:04.233841896 CEST	21477	23	192.168.2.23	35.73.108.210
May 27, 2022 21:04:04.233854055 CEST	21477	23	192.168.2.23	200.168.53.146
May 27, 2022 21:04:04.233855963 CEST	21477	23	192.168.2.23	24.170.236.217
May 27, 2022 21:04:04.233867884 CEST	21477	23	192.168.2.23	220.36.79.120
May 27, 2022 21:04:04.233872890 CEST	21477	23	192.168.2.23	74.113.91.170
May 27, 2022 21:04:04.233875036 CEST	21477	23	192.168.2.23	209.30.171.40
May 27, 2022 21:04:04.233875990 CEST	21477	23	192.168.2.23	28.129.77.48
May 27, 2022 21:04:04.233876944 CEST	21477	23	192.168.2.23	155.157.111.197
May 27, 2022 21:04:04.233880043 CEST	21477	23	192.168.2.23	96.255.18.227
May 27, 2022 21:04:04.233884096 CEST	21477	23	192.168.2.23	74.114.152.9
May 27, 2022 21:04:04.233884096 CEST	21477	23	192.168.2.23	40.22.186.88
May 27, 2022 21:04:04.233889103 CEST	21477	23	192.168.2.23	59.185.93.52
May 27, 2022 21:04:04.233890057 CEST	21477	23	192.168.2.23	213.92.7.142
May 27, 2022 21:04:04.233894110 CEST	21477	23	192.168.2.23	213.22.189.141
May 27, 2022 21:04:04.233895063 CEST	21477	23	192.168.2.23	107.216.76.9
May 27, 2022 21:04:04.233899117 CEST	21477	23	192.168.2.23	50.44.85.221
May 27, 2022 21:04:04.233906984 CEST	21477	23	192.168.2.23	126.241.130.240
May 27, 2022 21:04:04.233911037 CEST	21477	23	192.168.2.23	244.69.75.239
May 27, 2022 21:04:04.233913898 CEST	21477	23	192.168.2.23	157.148.6.59
May 27, 2022 21:04:04.233913898 CEST	21477	23	192.168.2.23	179.15.211.85
May 27, 2022 21:04:04.233916044 CEST	21477	23	192.168.2.23	201.60.150.112
May 27, 2022 21:04:04.233917952 CEST	21477	23	192.168.2.23	67.87.157.65
May 27, 2022 21:04:04.233920097 CEST	21477	23	192.168.2.23	91.158.148.64
May 27, 2022 21:04:04.233922958 CEST	21477	23	192.168.2.23	3.142.63.171
May 27, 2022 21:04:04.233937025 CEST	21477	23	192.168.2.23	204.135.248.203
May 27, 2022 21:04:04.233939886 CEST	21477	23	192.168.2.23	129.134.5.75
May 27, 2022 21:04:04.233942986 CEST	21477	23	192.168.2.23	143.96.41.176
May 27, 2022 21:04:04.233947039 CEST	21477	23	192.168.2.23	183.196.159.3
May 27, 2022 21:04:04.233949900 CEST	21477	23	192.168.2.23	12.234.193.170
May 27, 2022 21:04:04.233949900 CEST	21477	23	192.168.2.23	96.53.76.80
May 27, 2022 21:04:04.233952999 CEST	21477	23	192.168.2.23	111.141.141.40
May 27, 2022 21:04:04.233956099 CEST	21477	23	192.168.2.23	21.22.247.8
May 27, 2022 21:04:04.233959913 CEST	21477	23	192.168.2.23	125.233.247.73
May 27, 2022 21:04:04.233963013 CEST	21477	23	192.168.2.23	157.60.237.236
May 27, 2022 21:04:04.233967066 CEST	21477	23	192.168.2.23	37.82.140.146
May 27, 2022 21:04:04.233969927 CEST	21477	23	192.168.2.23	144.102.31.188
May 27, 2022 21:04:04.233972073 CEST	21477	23	192.168.2.23	254.149.14.114
May 27, 2022 21:04:04.233975887 CEST	21477	23	192.168.2.23	45.156.122.224
May 27, 2022 21:04:04.233978033 CEST	21477	23	192.168.2.23	172.149.100.55
May 27, 2022 21:04:04.233980894 CEST	21477	23	192.168.2.23	78.25.45.119
May 27, 2022 21:04:04.233982086 CEST	21477	23	192.168.2.23	42.86.195.103
May 27, 2022 21:04:04.233982086 CEST	21477	23	192.168.2.23	115.239.246.23
May 27, 2022 21:04:04.233985901 CEST	21477	23	192.168.2.23	82.10.176.75
May 27, 2022 21:04:04.233989000 CEST	21477	23	192.168.2.23	113.44.187.34
May 27, 2022 21:04:04.233993053 CEST	21477	23	192.168.2.23	36.209.142.233
May 27, 2022 21:04:04.233994961 CEST	21477	23	192.168.2.23	151.108.222.133
May 27, 2022 21:04:04.234000921 CEST	21477	23	192.168.2.23	35.63.22.110
May 27, 2022 21:04:04.234004974 CEST	21477	23	192.168.2.23	158.158.181.107
May 27, 2022 21:04:04.234004974 CEST	21477	23	192.168.2.23	9.183.97.60
May 27, 2022 21:04:04.234006882 CEST	21477	23	192.168.2.23	203.192.101.1
May 27, 2022 21:04:04.234008074 CEST	21477	23	192.168.2.23	124.242.109.161
May 27, 2022 21:04:04.234011889 CEST	21477	23	192.168.2.23	223.231.57.249
May 27, 2022 21:04:04.234014988 CEST	21477	23	192.168.2.23	250.237.143.131
May 27, 2022 21:04:04.234016895 CEST	21477	23	192.168.2.23	117.50.20.165

System Behavior

Analysis Process: HAEskA4vLV PID: 6233, Parent PID: 6135

General

Start time:	21:04:03
Start date:	27/05/2022
Path:	/tmp/HAEskA4vLV
Arguments:	/tmp/HAEskA4vLV
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: HAEskA4vLV PID: 6235, Parent PID: 6233

General

Start time:	21:04:03
Start date:	27/05/2022
Path:	/tmp/HAEskA4vLV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: HAEskA4vLV PID: 6236, Parent PID: 6233

General

Start time:	21:04:03
Start date:	27/05/2022
Path:	/tmp/HAEskA4vLV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: HAEskA4vLV PID: 6240, Parent PID: 6236

General

Start time:	21:04:03
Start date:	27/05/2022
Path:	/tmp/HAEskA4vLV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: HAEskA4vLV PID: 6242, Parent PID: 6236

General

Start time:	21:04:03
Start date:	27/05/2022
Path:	/tmp/HAEskA4vLV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: HAEskA4vLV PID: 6244, Parent PID: 6242

General

Start time:	21:04:03
Start date:	27/05/2022
Path:	/tmp/HAEskA4vLV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report HAEskA4vLV

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: HAEskA4vLV PID: 6233, Parent PID: 6135

General

Analysis Process: HAEskA4vLV PID: 6235, Parent PID: 6233

General

Analysis Process: HAEskA4vLV PID: 6236, Parent PID: 6233

General

Analysis Process: HAEskA4vLV PID: 6240, Parent PID: 6236

General

Analysis Process: HAEskA4vLV PID: 6242, Parent PID: 6236

General

Analysis Process: HAEskA4vLV PID: 6244, Parent PID: 6242

General

Linux Analysis Report
HAEskA4vLV