Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
gTBPHpZL3j

Overview

General Information

Sample Name:gTBPHpZL3j
Analysis ID:679501
MD5:f586c357f162b4875c286e028b8a101f
SHA1:83964f5d27a8f6b1c0876e62dead592d86b2ed56
SHA256:d9fc1ad9af297ff9f0fabf2227f8060b0eb069bb4fe430723ab06af3b981b9db
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:84
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample deletes itself
Yara signature match
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:35.0.0 Citrine
Analysis ID:679501
Start date and time: 05/08/202222:12:162022-08-05 22:12:16 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 47s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:gTBPHpZL3j
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal84.troj.evad.lin@0/0@0/0

Warnings

  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100

Runtime Messages

Command:/tmp/gTBPHpZL3j
PID:6229
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
BEASTMODE-BITCHES@@""""/p
Standard Error:

Process Tree

  • system is lnxubuntu20
  • gTBPHpZL3j (PID: 6229, Parent: 6126, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/gTBPHpZL3j
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gTBPHpZL3jMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
  • 0x12bd0:$x1: POST /cdn-cgi/
  • 0x14681:$x5: .mdebug.abi32
  • 0x13100:$s1: LCOGQGPTGP
gTBPHpZL3jMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
  • 0x12bd0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
gTBPHpZL3jJoeSecurity_Mirai_5Yara detected MiraiJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
      • 0x12bd0:$x1: POST /cdn-cgi/
      • 0x13100:$s1: LCOGQGPTGP
      6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
      • 0x12bd0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
      6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
        6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
        • 0x12bd0:$x1: POST /cdn-cgi/
        • 0x13100:$s1: LCOGQGPTGP
        6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
        • 0x12bd0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
        Click to see the 13 entries

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: gTBPHpZL3jAvira: detected
        Multi AV Scanner detection for submitted file
        Source: gTBPHpZL3jVirustotal: Detection: 62%Perma Link
        Source: gTBPHpZL3jReversingLabs: Detection: 70%
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: global trafficTCP traffic: 192.168.2.23:53692 -> 163.123.143.71:34241
        Source: /tmp/gTBPHpZL3j (PID: 6229)Socket: 127.0.0.1::42516
        Source: /tmp/gTBPHpZL3j (PID: 6233)Socket: 0.0.0.0::23
        Source: /tmp/gTBPHpZL3j (PID: 6233)Socket: 0.0.0.0::0
        Source: /tmp/gTBPHpZL3j (PID: 6233)Socket: 0.0.0.0::80
        Source: /tmp/gTBPHpZL3j (PID: 6233)Socket: 0.0.0.0::81
        Source: /tmp/gTBPHpZL3j (PID: 6233)Socket: 0.0.0.0::8443
        Source: /tmp/gTBPHpZL3j (PID: 6233)Socket: 0.0.0.0::9009
        Source: /tmp/gTBPHpZL3j (PID: 6247)Socket: 0.0.0.0::23
        Source: /tmp/gTBPHpZL3j (PID: 6247)Socket: 0.0.0.0::0
        Source: /tmp/gTBPHpZL3j (PID: 6247)Socket: 0.0.0.0::80
        Source: /tmp/gTBPHpZL3j (PID: 6247)Socket: 0.0.0.0::81
        Source: /tmp/gTBPHpZL3j (PID: 6247)Socket: 0.0.0.0::8443
        Source: /tmp/gTBPHpZL3j (PID: 6247)Socket: 0.0.0.0::9009
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 126.22.66.12
        Source: unknownTCP traffic detected without corresponding DNS query: 63.53.87.236
        Source: unknownTCP traffic detected without corresponding DNS query: 109.94.76.14
        Source: unknownTCP traffic detected without corresponding DNS query: 43.8.92.12
        Source: unknownTCP traffic detected without corresponding DNS query: 99.107.149.132
        Source: unknownTCP traffic detected without corresponding DNS query: 250.220.137.120
        Source: unknownTCP traffic detected without corresponding DNS query: 94.97.13.226
        Source: unknownTCP traffic detected without corresponding DNS query: 250.243.128.136
        Source: unknownTCP traffic detected without corresponding DNS query: 88.225.16.25
        Source: unknownTCP traffic detected without corresponding DNS query: 98.201.86.198
        Source: unknownTCP traffic detected without corresponding DNS query: 160.9.3.59
        Source: unknownTCP traffic detected without corresponding DNS query: 120.216.137.227
        Source: unknownTCP traffic detected without corresponding DNS query: 201.238.49.92
        Source: unknownTCP traffic detected without corresponding DNS query: 12.149.232.21
        Source: unknownTCP traffic detected without corresponding DNS query: 192.169.146.11
        Source: unknownTCP traffic detected without corresponding DNS query: 37.48.201.156
        Source: unknownTCP traffic detected without corresponding DNS query: 90.106.200.225
        Source: unknownTCP traffic detected without corresponding DNS query: 191.82.198.134
        Source: unknownTCP traffic detected without corresponding DNS query: 211.72.98.50
        Source: unknownTCP traffic detected without corresponding DNS query: 241.19.127.27
        Source: unknownTCP traffic detected without corresponding DNS query: 112.169.135.81
        Source: unknownTCP traffic detected without corresponding DNS query: 17.17.55.34
        Source: unknownTCP traffic detected without corresponding DNS query: 16.212.165.218
        Source: unknownTCP traffic detected without corresponding DNS query: 149.48.21.48
        Source: unknownTCP traffic detected without corresponding DNS query: 207.119.99.131
        Source: unknownTCP traffic detected without corresponding DNS query: 164.139.195.149
        Source: unknownTCP traffic detected without corresponding DNS query: 173.243.105.237
        Source: unknownTCP traffic detected without corresponding DNS query: 81.232.26.102
        Source: unknownTCP traffic detected without corresponding DNS query: 185.38.186.32
        Source: unknownTCP traffic detected without corresponding DNS query: 107.147.192.163
        Source: unknownTCP traffic detected without corresponding DNS query: 176.186.186.87
        Source: unknownTCP traffic detected without corresponding DNS query: 89.157.158.232
        Source: unknownTCP traffic detected without corresponding DNS query: 59.63.209.17
        Source: unknownTCP traffic detected without corresponding DNS query: 84.237.49.53
        Source: unknownTCP traffic detected without corresponding DNS query: 24.52.168.89
        Source: unknownTCP traffic detected without corresponding DNS query: 221.125.188.4
        Source: unknownTCP traffic detected without corresponding DNS query: 147.231.69.79
        Source: unknownTCP traffic detected without corresponding DNS query: 74.155.169.71
        Source: unknownTCP traffic detected without corresponding DNS query: 88.229.131.87
        Source: unknownTCP traffic detected without corresponding DNS query: 105.80.107.117
        Source: unknownTCP traffic detected without corresponding DNS query: 162.43.17.60
        Source: unknownTCP traffic detected without corresponding DNS query: 182.188.59.95
        Source: unknownTCP traffic detected without corresponding DNS query: 158.228.45.190
        Source: unknownTCP traffic detected without corresponding DNS query: 123.141.237.71
        Source: unknownTCP traffic detected without corresponding DNS query: 70.187.112.144
        Source: unknownTCP traffic detected without corresponding DNS query: 175.16.239.14
        Source: unknownTCP traffic detected without corresponding DNS query: 152.249.37.75
        Source: unknownTCP traffic detected without corresponding DNS query: 187.92.220.182

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: gTBPHpZL3j, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: gTBPHpZL3j, type: SAMPLEMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6233.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6233.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6249.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6249.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6234.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6234.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: 6237.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
        Source: 6237.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
        Source: gTBPHpZL3j, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: gTBPHpZL3j, type: SAMPLEMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6233.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6233.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6249.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6249.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6234.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6234.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: 6237.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
        Source: 6237.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: /tmp/gTBPHpZL3j (PID: 6233)SIGKILL sent: pid: 936, result: successful
        Source: /tmp/gTBPHpZL3j (PID: 6247)SIGKILL sent: pid: 6233, result: successful
        Source: /tmp/gTBPHpZL3j (PID: 6247)SIGKILL sent: pid: 936, result: successful
        Source: /tmp/gTBPHpZL3j (PID: 6247)SIGKILL sent: pid: 759, result: successful
        Source: /tmp/gTBPHpZL3j (PID: 6247)SIGKILL sent: pid: 6237, result: successful
        Source: /tmp/gTBPHpZL3j (PID: 6247)SIGKILL sent: pid: 6250, result: successful
        Source: classification engineClassification label: mal84.troj.evad.lin@0/0@0/0
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/491/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/793/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/772/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/796/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/774/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/797/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/777/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/799/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/658/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/912/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/759/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/936/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/918/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/1/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/761/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/785/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/884/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/720/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/721/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/788/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/789/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/800/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/801/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/847/fd
        Source: /tmp/gTBPHpZL3j (PID: 6233)File opened: /proc/904/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/6233/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2033/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2033/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1582/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1582/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2275/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2275/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/6191/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/6191/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/3088/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/6190/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/6190/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1612/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1612/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1579/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1579/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1699/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1699/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1335/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1335/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1698/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1698/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2028/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2028/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1334/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1334/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1576/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1576/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2302/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2302/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/3236/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/3236/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2025/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2025/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2146/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2146/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/910/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/912/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/912/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/912/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/759/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/759/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/759/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/517/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2307/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2307/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/918/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/918/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/918/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1594/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1594/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2285/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2285/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2281/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2281/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1349/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1349/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1623/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1623/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/761/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/761/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/761/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1622/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1622/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/884/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/884/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/884/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1983/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1983/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2038/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/2038/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1586/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1586/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1465/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1465/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1344/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1344/exe
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1860/fd
        Source: /tmp/gTBPHpZL3j (PID: 6247)File opened: /proc/1860/exe

        Hooking and other Techniques for Hiding and Protection

        barindex
        Sample deletes itself
        Source: /tmp/gTBPHpZL3j (PID: 6229)File: /tmp/gTBPHpZL3jJump to behavior
        Source: /tmp/gTBPHpZL3j (PID: 6229)Queries kernel information via 'uname':
        Source: gTBPHpZL3j, 6229.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6233.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6234.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6237.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6249.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6250.1.0000563ed0330000.0000563ed03b7000.rw-.sdmpBinary or memory string: >V!/etc/qemu-binfmt/mips
        Source: gTBPHpZL3j, 6229.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6233.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6234.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6237.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6249.1.0000563ed0330000.0000563ed03b7000.rw-.sdmp, gTBPHpZL3j, 6250.1.0000563ed0330000.0000563ed03b7000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
        Source: gTBPHpZL3j, 6229.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6233.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6234.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6237.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6249.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6250.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
        Source: gTBPHpZL3j, 6229.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6233.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6234.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6237.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6249.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmp, gTBPHpZL3j, 6250.1.00007ffdaa80e000.00007ffdaa82f000.rw-.sdmpBinary or memory string: .]x86_64/usr/bin/qemu-mips/tmp/gTBPHpZL3jSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/gTBPHpZL3j

        Stealing of Sensitive Information

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: gTBPHpZL3j, type: SAMPLE
        Source: Yara matchFile source: 6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6233.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6249.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6234.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6237.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected Mirai
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: gTBPHpZL3j, type: SAMPLE
        Source: Yara matchFile source: 6229.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6250.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6233.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6249.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6234.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6237.1.00007fcc64400000.00007fcc64414000.r-x.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
        File Deletion        		1
        OS Credential Dumping        		11
        Security Software Discovery        		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 679501 Sample: gTBPHpZL3j Startdate: 05/08/2022 Architecture: LINUX Score: 84 25 221.166.76.182, 23 YSU-AS-KRyoungsanuniversityKR Korea Republic of 2->25 27 174.131.228.250 WINDSTREAMUS United States 2->27 29 98 other IPs or domains 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Mirai 2->37 8 gTBPHpZL3j 2->8         started        signatures3 process4 signatures5 39 Sample deletes itself 8->39 11 gTBPHpZL3j 8->11         started        13 gTBPHpZL3j 8->13         started        15 gTBPHpZL3j 8->15         started        17 gTBPHpZL3j 8->17         started        process6 process7 19 gTBPHpZL3j 11->19         started        21 gTBPHpZL3j 11->21         started        23 gTBPHpZL3j 11->23         started       

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        gTBPHpZL3j63%VirustotalBrowse
        gTBPHpZL3j71%ReversingLabsLinux.Trojan.Mirai
        gTBPHpZL3j100%AviraLINUX/Mirai.bonb

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        96.161.201.208
        		unknownUnited States
        		7922COMCAST-7922USfalse
        168.13.151.196
        		unknownUnited States
        		3479PEACHNET-AS1USfalse
        174.131.228.250
        		unknownUnited States
        		7029WINDSTREAMUSfalse
        106.193.171.115
        		unknownIndia
        		45609BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSServicefalse
        112.239.9.72
        		unknownChina
        		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
        124.201.163.201
        		unknownChina
        		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
        95.44.27.32
        		unknownIreland
        		5466EIRCOMInternetHouseIEfalse
        190.46.146.15
        		unknownChile
        		22047VTRBANDAANCHASACLfalse
        220.186.154.244
        		unknownChina
        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
        40.2.37.86
        		unknownUnited States
        		4249LILLY-ASUSfalse
        149.36.11.1
        		unknownUnited States
        		174COGENT-174USfalse
        221.166.76.182
        		unknownKorea Republic of
        		9631YSU-AS-KRyoungsanuniversityKRfalse
        8.200.249.138
        		unknownUnited States
        		3356LEVEL3USfalse
        48.233.101.234
        		unknownUnited States
        		2686ATGS-MMD-ASUSfalse
        102.196.39.101
        		unknownunknown
        		36926CKL1-ASNKEfalse
        179.248.199.19
        		unknownBrazil
        		26615TIMSABRfalse
        2.113.39.24
        		unknownItaly
        		3269ASN-IBSNAZITfalse
        38.230.105.87
        		unknownUnited States
        		174COGENT-174USfalse
        246.98.206.67
        		unknownReserved
        		unknownunknownfalse
        123.18.68.229
        		unknownViet Nam
        		45899VNPT-AS-VNVNPTCorpVNfalse
        74.223.138.22
        		unknownUnited States
        		7029WINDSTREAMUSfalse
        182.161.47.195
        		unknownAustralia
        		38835VIAIP-AS-APBuroservAustraliaPtyLtdAUfalse
        48.178.146.91
        		unknownUnited States
        		2686ATGS-MMD-ASUSfalse
        182.32.13.119
        		unknownChina
        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
        174.78.141.235
        		unknownUnited States
        		22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
        170.217.104.2
        		unknownUnited States
        		8103STATE-OF-FLAUSfalse
        69.81.126.65
        		unknownUnited States
        		10796TWC-10796-MIDWESTUSfalse
        163.236.195.64
        		unknownUnited States
        		7127SCEUSfalse
        196.186.168.12
        		unknownTunisia
        		5438ATI-TNfalse
        78.16.135.29
        		unknownIreland
        		2110AS-BTIREBTIrelandwaspreviouslyknownasEsatNetEUnetfalse
        139.144.190.6
        		unknownUnited States
        		8968BT-ITALIAITfalse
        44.2.121.2
        		unknownUnited States
        		7377UCSDUSfalse
        78.123.209.97
        		unknownFrance
        		8228CEGETEL-ASFRfalse
        62.248.184.234
        		unknownFinland
        		719ELISA-ASHelsinkiFinlandEUfalse
        193.122.239.178
        		unknownUnited States
        		31898ORACLE-BMC-31898USfalse
        212.121.165.156
        		unknownFrance
        		5436BT-FRANCEBTFrance-TourArianeFRfalse
        41.122.162.173
        		unknownSouth Africa
        		16637MTNNS-ASZAfalse
        212.62.68.101
        		unknownGermany
        		8879DTS-SYSTEMEDTSSystemeGmbHDEfalse
        77.151.127.209
        		unknownFrance
        		15557LDCOMNETFRfalse
        99.234.44.142
        		unknownCanada
        		812ROGERS-COMMUNICATIONSCAfalse
        175.68.97.180
        		unknownChina
        		9394CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
        182.232.63.32
        		unknownThailand
        		131445AIS3G-2100-AS-APAdvanceWirelessNetworkTHfalse
        207.140.1.95
        		unknownUnited States
        		7018ATT-INTERNET4USfalse
        95.245.54.144
        		unknownItaly
        		3269ASN-IBSNAZITfalse
        191.233.184.222
        		unknownBrazil
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        96.165.44.152
        		unknownUnited States
        		7922COMCAST-7922USfalse
        182.220.100.18
        		unknownKorea Republic of
        		17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
        197.232.116.130
        		unknownKenya
        		36866JTLKEfalse
        247.49.148.7
        		unknownReserved
        		unknownunknownfalse
        178.193.15.163
        		unknownSwitzerland
        		3303SWISSCOMSwisscomSwitzerlandLtdCHfalse
        178.6.64.7
        		unknownGermany
        		3209VODANETInternationalIP-BackboneofVodafoneDEfalse
        69.62.90.149
        		unknownUnited States
        		31791REGION16-ESCUSfalse
        201.193.239.194
        		unknownCosta Rica
        		11830InstitutoCostarricensedeElectricidadyTelecomCRfalse
        192.242.40.155
        		unknownUnited States
        		11363FUJITSU-USAUSfalse
        139.149.185.50
        		unknownUnited Kingdom
        		17071UBSW-STAMFORDUSfalse
        68.62.136.151
        		unknownUnited States
        		7922COMCAST-7922USfalse
        78.180.254.86
        		unknownTurkey
        		9121TTNETTRfalse
        254.255.41.46
        		unknownReserved
        		unknownunknownfalse
        114.84.52.150
        		unknownChina
        		4812CHINANET-SH-APChinaTelecomGroupCNfalse
        4.35.241.247
        		unknownUnited States
        		3356LEVEL3USfalse
        187.38.203.91
        		unknownBrazil
        		28573CLAROSABRfalse
        74.224.240.209
        		unknownUnited States
        		19108SUDDENLINK-COMMUNICATIONSUSfalse
        160.178.12.87
        		unknownMorocco
        		36903MT-MPLSMAfalse
        173.91.160.97
        		unknownUnited States
        		10796TWC-10796-MIDWESTUSfalse
        209.194.91.225
        		unknownUnited States
        		393641LC-SFO-393641USfalse
        207.121.49.140
        		unknownUnited States
        		3356LEVEL3USfalse
        177.179.11.30
        		unknownBrazil
        		7738TelemarNorteLesteSABRfalse
        120.220.154.215
        		unknownChina
        		24444CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompanyfalse
        109.70.170.157
        		unknownFrance
        		25358NOVSONovsoSARLFRfalse
        160.121.240.1
        		unknownSouth Africa
        		137951CLAYERLIMITED-AS-APClayerLimitedHKfalse
        142.22.118.24
        		unknownCanada
        		3633PROVINCE-OF-BRITISH-COLUMBIACAfalse
        158.21.131.117
        		unknownUnited States
        		32033EXXONMOBIL-UTEC-ASUSfalse
        18.47.114.99
        		unknownUnited States
        		3MIT-GATEWAYSUSfalse
        61.255.1.244
        		unknownKorea Republic of
        		9318SKB-ASSKBroadbandCoLtdKRfalse
        88.146.116.89
        		unknownCzech Republic
        		29208DIALTELECOM-ASDialTelecomasSKfalse
        178.123.110.239
        		unknownBelarus
        		6697BELPAK-ASBELPAKBYfalse
        250.190.253.182
        		unknownReserved
        		unknownunknownfalse
        158.209.152.246
        		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
        46.217.209.151
        		unknownMacedonia
        		6821MT-AS-OWNbulOrceNikolovbbMKfalse
        147.173.126.171
        		unknownFrance
        		1942FR-TIGREToileInformatiqueGREnobloiseEUfalse
        31.184.117.211
        		unknownNetherlands
        		20507INTERNLNETInterNLnetAutonomousSystemNLfalse
        125.84.91.159
        		unknownChina
        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
        19.170.187.22
        		unknownUnited States
        		3MIT-GATEWAYSUSfalse
        45.49.101.185
        		unknownUnited States
        		20001TWC-20001-PACWESTUSfalse
        12.199.98.204
        		unknownUnited States
        		6307AMERICAN-EXPRESSUSfalse
        82.49.41.81
        		unknownItaly
        		3269ASN-IBSNAZITfalse
        42.164.188.253
        		unknownChina
        		4249LILLY-ASUSfalse
        118.242.212.126
        		unknownChina
        		38363CNNIC-HIGHWAYNET-APShanghaiHighwayInformationTechnologyfalse
        73.35.211.101
        		unknownUnited States
        		7922COMCAST-7922USfalse
        251.247.108.237
        		unknownReserved
        		unknownunknownfalse
        170.128.87.151
        		unknownUnited States
        		11685HNBCOL-ASUSfalse
        107.218.115.22
        		unknownUnited States
        		7018ATT-INTERNET4USfalse
        193.45.0.84
        		unknownSweden
        		1299TELIANETTeliaCarrierEUfalse
        172.176.52.246
        		unknownUnited States
        		7018ATT-INTERNET4USfalse
        108.147.25.254
        		unknownUnited States
        		16509AMAZON-02USfalse
        221.1.230.137
        		unknownChina
        		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
        117.102.197.254
        		unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
        147.185.195.226
        		unknownUnited States
        		12087SALSGIVERUSfalse
        201.101.241.104
        		unknownMexico
        		8151UninetSAdeCVMXfalse
        148.183.143.246
        		unknownUnited States
        		11529NGUS-ASUSfalse

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
        Entropy (8bit):5.369997050070244
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:gTBPHpZL3j
        File size:84120
        MD5:f586c357f162b4875c286e028b8a101f
        SHA1:83964f5d27a8f6b1c0876e62dead592d86b2ed56
        SHA256:d9fc1ad9af297ff9f0fabf2227f8060b0eb069bb4fe430723ab06af3b981b9db
        SHA512:fa3827aa7eeeff0d106a864686d257288a9bbb50068cc265223e82c0e8183805776a7924a877637659b1359e3d7d1ec0bc46013f66084d2d82d661e801e0941d
        SSDEEP:1536:im2yFrszc6u0vTJ2VdKXrE1nHkiRZKyLXPjVjc:IyFrau07cVSE1nHkiRZKyL/jlc
        TLSH:7C83630E3E215F7DFFAC823987B74A21665933EA22E1C5C4D19CE9061E7034A641FBA5
        File Content Preview:.ELF.....................@.`...4..F......4. ...(.............@...@....70..70..............@..E@..E@....8............dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'..x...!........'9+

        Static ELF Info

        ELF header

        Class:ELF32
        Data:2's complement, big endian
        Version:1 (current)
        Machine:MIPS R3000
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x400260
        Flags:0x1007
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:3
        Section Header Offset:83600
        Section Header Size:40
        Number of Section Headers:13
        Header String Table Index:12

        Sections

        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
        NULL0x00x00x00x00x0000
        .initPROGBITS0x4000940x940x8c0x00x6AX004
        .textPROGBITS0x4001200x1200x12a500x00x6AX0016
        .finiPROGBITS0x412b700x12b700x5c0x00x6AX004
        .rodataPROGBITS0x412bd00x12bd00xb600x00x2A0016
        .ctorsPROGBITS0x4540000x140000x80x00x3WA004
        .dtorsPROGBITS0x4540080x140080x80x00x3WA004
        .dataPROGBITS0x4540200x140200x2500x00x3WA0016
        .gotPROGBITS0x4542700x142700x3c80x40x10000003WAp0016
        .sbssNOBITS0x4546380x146380x240x00x10000003WAp004
        .bssNOBITS0x4546600x146380x5980x00x3WA0016
        .mdebug.abi32PROGBITS0x72c0x146380x00x00x0001
        .shstrtabSTRTAB0x00x146380x570x00x0001

        Program Segments

        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x4000000x4000000x137300x137305.48720x5R E0x10000.init .text .fini .rodata
        LOAD0x140000x4540000x4540000x6380xbf83.80140x6RW 0x10000.ctors .dtors .data .got .sbss .bss
        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Aug 5, 2022 22:13:03.863831997 CEST42836443192.168.2.2391.189.91.43
        Aug 5, 2022 22:13:04.631844997 CEST4251680192.168.2.23109.202.202.202
        Aug 5, 2022 22:13:06.895658970 CEST2454823192.168.2.23126.22.66.12
        Aug 5, 2022 22:13:06.895904064 CEST2454823192.168.2.2363.53.87.236
        Aug 5, 2022 22:13:06.895956993 CEST2454823192.168.2.23109.94.76.14
        Aug 5, 2022 22:13:06.896120071 CEST2454823192.168.2.2343.8.92.12
        Aug 5, 2022 22:13:06.896126986 CEST2454823192.168.2.2399.107.149.132
        Aug 5, 2022 22:13:06.896142960 CEST2454823192.168.2.23250.220.137.120
        Aug 5, 2022 22:13:06.896143913 CEST2454823192.168.2.2394.97.13.226
        Aug 5, 2022 22:13:06.896145105 CEST2454823192.168.2.23250.243.128.136
        Aug 5, 2022 22:13:06.896265030 CEST2454823192.168.2.2388.225.16.25
        Aug 5, 2022 22:13:06.896362066 CEST2454823192.168.2.2398.201.86.198
        Aug 5, 2022 22:13:06.896365881 CEST2454823192.168.2.23160.9.3.59
        Aug 5, 2022 22:13:06.896471024 CEST2454823192.168.2.23120.216.137.227
        Aug 5, 2022 22:13:06.896497011 CEST2454823192.168.2.23201.238.49.92
        Aug 5, 2022 22:13:06.896611929 CEST2454823192.168.2.2312.149.232.21
        Aug 5, 2022 22:13:06.896612883 CEST2454823192.168.2.23192.169.146.11
        Aug 5, 2022 22:13:06.896677017 CEST2454823192.168.2.2337.48.201.156
        Aug 5, 2022 22:13:06.896728039 CEST2454823192.168.2.2390.106.200.225
        Aug 5, 2022 22:13:06.896744013 CEST2454823192.168.2.23191.82.198.134
        Aug 5, 2022 22:13:06.896755934 CEST2454823192.168.2.23211.72.98.50
        Aug 5, 2022 22:13:06.896758080 CEST2454823192.168.2.23241.19.127.27
        Aug 5, 2022 22:13:06.896780968 CEST2454823192.168.2.23112.169.135.81
        Aug 5, 2022 22:13:06.896816969 CEST2454823192.168.2.2317.17.55.34
        Aug 5, 2022 22:13:06.896827936 CEST2454823192.168.2.2396.2.110.37
        Aug 5, 2022 22:13:06.896831989 CEST2454823192.168.2.23110.108.193.78
        Aug 5, 2022 22:13:06.896842957 CEST2454823192.168.2.2316.212.165.218
        Aug 5, 2022 22:13:06.896974087 CEST2454823192.168.2.23149.48.21.48
        Aug 5, 2022 22:13:06.896985054 CEST2454823192.168.2.23207.119.99.131
        Aug 5, 2022 22:13:06.897100925 CEST2454823192.168.2.23164.139.195.149
        Aug 5, 2022 22:13:06.897115946 CEST2454823192.168.2.23173.243.105.237
        Aug 5, 2022 22:13:06.897248983 CEST2454823192.168.2.2381.232.26.102
        Aug 5, 2022 22:13:06.897249937 CEST2454823192.168.2.23185.38.186.32
        Aug 5, 2022 22:13:06.897330999 CEST2454823192.168.2.23107.147.192.163
        Aug 5, 2022 22:13:06.897367954 CEST2454823192.168.2.23176.186.186.87
        Aug 5, 2022 22:13:06.897450924 CEST2454823192.168.2.2389.157.158.232
        Aug 5, 2022 22:13:06.897461891 CEST2454823192.168.2.2359.63.209.17
        Aug 5, 2022 22:13:06.897464037 CEST2454823192.168.2.2384.237.49.53
        Aug 5, 2022 22:13:06.897480011 CEST2454823192.168.2.2324.52.168.89
        Aug 5, 2022 22:13:06.897581100 CEST2454823192.168.2.23221.125.188.4
        Aug 5, 2022 22:13:06.897712946 CEST2454823192.168.2.23147.231.69.79
        Aug 5, 2022 22:13:06.897761106 CEST2454823192.168.2.2374.155.169.71
        Aug 5, 2022 22:13:06.897761106 CEST2454823192.168.2.2388.229.131.87
        Aug 5, 2022 22:13:06.897778988 CEST2454823192.168.2.23105.80.107.117
        Aug 5, 2022 22:13:06.897850037 CEST2454823192.168.2.23162.43.17.60
        Aug 5, 2022 22:13:06.897871971 CEST2454823192.168.2.23182.188.59.95
        Aug 5, 2022 22:13:06.897943020 CEST2454823192.168.2.23158.228.45.190
        Aug 5, 2022 22:13:06.897947073 CEST2454823192.168.2.23123.141.237.71
        Aug 5, 2022 22:13:06.897979021 CEST2454823192.168.2.2370.187.112.144
        Aug 5, 2022 22:13:06.898004055 CEST2454823192.168.2.23175.16.239.14
        Aug 5, 2022 22:13:06.898093939 CEST2454823192.168.2.23152.249.37.75
        Aug 5, 2022 22:13:06.898128986 CEST2454823192.168.2.23187.92.220.182
        Aug 5, 2022 22:13:06.898135900 CEST2454823192.168.2.23110.120.223.90
        Aug 5, 2022 22:13:06.898158073 CEST2454823192.168.2.23250.131.108.32
        Aug 5, 2022 22:13:06.898173094 CEST2454823192.168.2.2384.192.188.42
        Aug 5, 2022 22:13:06.898192883 CEST2454823192.168.2.2380.186.106.99
        Aug 5, 2022 22:13:06.898252964 CEST2454823192.168.2.23153.196.169.90
        Aug 5, 2022 22:13:06.898309946 CEST2454823192.168.2.23131.252.65.167
        Aug 5, 2022 22:13:06.898332119 CEST2454823192.168.2.232.84.14.253
        Aug 5, 2022 22:13:06.898349047 CEST2454823192.168.2.2317.77.64.191
        Aug 5, 2022 22:13:06.898401022 CEST2454823192.168.2.23176.151.103.47
        Aug 5, 2022 22:13:06.898411036 CEST2454823192.168.2.23183.178.55.165
        Aug 5, 2022 22:13:06.898418903 CEST2454823192.168.2.23185.191.27.244
        Aug 5, 2022 22:13:06.898483038 CEST2454823192.168.2.235.228.14.163
        Aug 5, 2022 22:13:06.898616076 CEST2454823192.168.2.23104.112.92.9
        Aug 5, 2022 22:13:06.898621082 CEST2454823192.168.2.23194.86.21.84
        Aug 5, 2022 22:13:06.898627043 CEST2454823192.168.2.2377.111.53.92
        Aug 5, 2022 22:13:06.898662090 CEST2454823192.168.2.23190.36.197.78
        Aug 5, 2022 22:13:06.898663998 CEST2454823192.168.2.231.82.7.95
        Aug 5, 2022 22:13:06.898796082 CEST2454823192.168.2.2368.191.52.16
        Aug 5, 2022 22:13:06.898797035 CEST2454823192.168.2.2387.210.139.89
        Aug 5, 2022 22:13:06.898823023 CEST2454823192.168.2.2348.87.81.38
        Aug 5, 2022 22:13:06.898828030 CEST2454823192.168.2.2377.228.23.202
        Aug 5, 2022 22:13:06.898850918 CEST2454823192.168.2.23174.225.198.99
        Aug 5, 2022 22:13:06.898854971 CEST2454823192.168.2.23174.119.162.17
        Aug 5, 2022 22:13:06.898879051 CEST2454823192.168.2.23158.116.162.207
        Aug 5, 2022 22:13:06.898879051 CEST2454823192.168.2.23153.40.7.20
        Aug 5, 2022 22:13:06.898947954 CEST2454823192.168.2.23178.202.248.254
        Aug 5, 2022 22:13:06.898971081 CEST2454823192.168.2.23213.230.88.80
        Aug 5, 2022 22:13:06.898988008 CEST2454823192.168.2.23243.126.184.88
        Aug 5, 2022 22:13:06.899013042 CEST2454823192.168.2.23141.59.232.0
        Aug 5, 2022 22:13:06.899013996 CEST2454823192.168.2.23114.227.53.151
        Aug 5, 2022 22:13:06.899034977 CEST2454823192.168.2.2381.68.185.207
        Aug 5, 2022 22:13:06.899041891 CEST2454823192.168.2.23213.18.197.223
        Aug 5, 2022 22:13:06.899138927 CEST2454823192.168.2.23161.100.24.24
        Aug 5, 2022 22:13:06.899153948 CEST2454823192.168.2.23181.14.153.96
        Aug 5, 2022 22:13:06.899185896 CEST2454823192.168.2.2312.126.52.174
        Aug 5, 2022 22:13:06.899202108 CEST2454823192.168.2.23153.246.29.67
        Aug 5, 2022 22:13:06.899203062 CEST2454823192.168.2.23251.242.69.36
        Aug 5, 2022 22:13:06.899210930 CEST2454823192.168.2.2380.222.199.73
        Aug 5, 2022 22:13:06.899239063 CEST2454823192.168.2.2396.44.74.206
        Aug 5, 2022 22:13:06.899250031 CEST2454823192.168.2.2342.91.212.78
        Aug 5, 2022 22:13:06.899270058 CEST2454823192.168.2.23111.227.19.42
        Aug 5, 2022 22:13:06.899285078 CEST2454823192.168.2.2327.109.203.77
        Aug 5, 2022 22:13:06.899311066 CEST2454823192.168.2.23103.132.205.98
        Aug 5, 2022 22:13:06.899328947 CEST2454823192.168.2.2370.55.20.209
        Aug 5, 2022 22:13:06.899413109 CEST2454823192.168.2.2379.108.218.97
        Aug 5, 2022 22:13:06.899440050 CEST2454823192.168.2.2345.69.113.109
        Aug 5, 2022 22:13:06.899445057 CEST2454823192.168.2.23184.35.137.122
        Aug 5, 2022 22:13:06.899473906 CEST2454823192.168.2.232.97.30.157

        System Behavior

        General

        Start time:22:13:01
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:/tmp/gTBPHpZL3j
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:05
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:05
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:05
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:05
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:14
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:14
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c

        General

        Start time:22:13:14
        Start date:05/08/2022
        Path:/tmp/gTBPHpZL3j
        Arguments:n/a
        File size:5777432 bytes
        MD5 hash:0083f1f0e77be34ad27f849842bbb00c