Edit tour

Linux Analysis Report
Nmg21us74I

Overview

General Information

Sample Name:	Nmg21us74I
Analysis ID:	679506
MD5:	01ec15a16805e0b57d0ef42097dca5ec
SHA1:	d9ea867164e9ad0c1901b85c8f18174743e1a0b4
SHA256:	a3946c00d0daf54a7e99a22e731dbc7977936ef6c9591dd0ae2a45632626b357
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample deletes itself

Uses known network protocols on non-standard ports

Yara signature match

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679506
Start date and time: 05/08/202222:22:16	2022-08-05 22:22:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Nmg21us74I
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal88.troj.evad.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/Nmg21us74I
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	BEASTMODE-BITCHES@@""""/p
Standard Error:

Process Tree

system is lnxubuntu20

Nmg21us74I (PID: 6230, Parent: 6123, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Nmg21us74I

Nmg21us74I New Fork (PID: 6234, Parent: 6230)

Nmg21us74I New Fork (PID: 6236, Parent: 6230)

Nmg21us74I New Fork (PID: 6238, Parent: 6230)

Nmg21us74I New Fork (PID: 6241, Parent: 6230)

Nmg21us74I New Fork (PID: 6250, Parent: 6241)

Nmg21us74I New Fork (PID: 6252, Parent: 6241)

Nmg21us74I New Fork (PID: 6253, Parent: 6241)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Nmg21us74I	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xeb14:$x1: POST /cdn-cgi/ 0xefd0:$s1: LCOGQGPTGP
Nmg21us74I	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xeb14:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
Nmg21us74I	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xeb14:$x1: POST /cdn-cgi/ 0xefd0:$s1: LCOGQGPTGP
6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xeb14:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xeb14:$x1: POST /cdn-cgi/ 0xefd0:$s1: LCOGQGPTGP
6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xeb14:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xeb14:$x1: POST /cdn-cgi/ 0xefd0:$s1: LCOGQGPTGP
6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xeb14:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0xeb14:$x1: POST /cdn-cgi/ 0xefd0:$s1: LCOGQGPTGP
6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0xeb14:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
Click to see the 7 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Nmg21us74I

Avira: detected

Multi AV Scanner detection for submitted file

Source: Nmg21us74I	Virustotal: Detection: 57%			Perma Link
Source: Nmg21us74I	ReversingLabs: Detection: 67%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46570
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46574
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46590
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46596
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46602
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46604
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46606
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55188
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55234
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55240
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55242

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:53692 -> 163.123.143.71:34241

Source: /tmp/Nmg21us74I (PID: 6230)	Socket: 127.0.0.1::42516
Source: /tmp/Nmg21us74I (PID: 6234)	Socket: 0.0.0.0::23
Source: /tmp/Nmg21us74I (PID: 6234)	Socket: 0.0.0.0::0
Source: /tmp/Nmg21us74I (PID: 6234)	Socket: 0.0.0.0::80
Source: /tmp/Nmg21us74I (PID: 6234)	Socket: 0.0.0.0::81
Source: /tmp/Nmg21us74I (PID: 6234)	Socket: 0.0.0.0::8443
Source: /tmp/Nmg21us74I (PID: 6234)	Socket: 0.0.0.0::9009
Source: /tmp/Nmg21us74I (PID: 6250)	Socket: 0.0.0.0::23
Source: /tmp/Nmg21us74I (PID: 6250)	Socket: 0.0.0.0::0
Source: /tmp/Nmg21us74I (PID: 6250)	Socket: 0.0.0.0::80
Source: /tmp/Nmg21us74I (PID: 6250)	Socket: 0.0.0.0::81
Source: /tmp/Nmg21us74I (PID: 6250)	Socket: 0.0.0.0::8443
Source: /tmp/Nmg21us74I (PID: 6250)	Socket: 0.0.0.0::9009

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 247.69.125.15
Source: unknown	TCP traffic detected without corresponding DNS query: 89.62.97.13
Source: unknown	TCP traffic detected without corresponding DNS query: 201.64.150.235
Source: unknown	TCP traffic detected without corresponding DNS query: 99.33.248.85
Source: unknown	TCP traffic detected without corresponding DNS query: 201.133.179.101
Source: unknown	TCP traffic detected without corresponding DNS query: 123.213.193.207
Source: unknown	TCP traffic detected without corresponding DNS query: 1.55.165.112
Source: unknown	TCP traffic detected without corresponding DNS query: 24.220.186.101
Source: unknown	TCP traffic detected without corresponding DNS query: 171.190.215.92
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.179.190
Source: unknown	TCP traffic detected without corresponding DNS query: 68.55.130.165
Source: unknown	TCP traffic detected without corresponding DNS query: 185.134.162.198
Source: unknown	TCP traffic detected without corresponding DNS query: 186.120.206.202
Source: unknown	TCP traffic detected without corresponding DNS query: 77.237.72.112
Source: unknown	TCP traffic detected without corresponding DNS query: 174.100.78.43
Source: unknown	TCP traffic detected without corresponding DNS query: 223.213.17.120
Source: unknown	TCP traffic detected without corresponding DNS query: 115.70.188.226
Source: unknown	TCP traffic detected without corresponding DNS query: 246.88.72.79
Source: unknown	TCP traffic detected without corresponding DNS query: 74.4.255.140
Source: unknown	TCP traffic detected without corresponding DNS query: 102.96.34.54
Source: unknown	TCP traffic detected without corresponding DNS query: 32.126.77.119
Source: unknown	TCP traffic detected without corresponding DNS query: 112.187.57.147
Source: unknown	TCP traffic detected without corresponding DNS query: 203.108.232.50
Source: unknown	TCP traffic detected without corresponding DNS query: 193.38.42.40
Source: unknown	TCP traffic detected without corresponding DNS query: 247.249.136.144
Source: unknown	TCP traffic detected without corresponding DNS query: 92.175.108.39
Source: unknown	TCP traffic detected without corresponding DNS query: 217.67.41.171
Source: unknown	TCP traffic detected without corresponding DNS query: 14.179.207.111
Source: unknown	TCP traffic detected without corresponding DNS query: 40.187.84.210
Source: unknown	TCP traffic detected without corresponding DNS query: 16.28.78.124
Source: unknown	TCP traffic detected without corresponding DNS query: 176.2.125.141
Source: unknown	TCP traffic detected without corresponding DNS query: 46.15.198.202
Source: unknown	TCP traffic detected without corresponding DNS query: 190.75.209.114
Source: unknown	TCP traffic detected without corresponding DNS query: 117.38.60.242
Source: unknown	TCP traffic detected without corresponding DNS query: 167.69.41.250
Source: unknown	TCP traffic detected without corresponding DNS query: 161.24.53.149
Source: unknown	TCP traffic detected without corresponding DNS query: 83.225.24.201
Source: unknown	TCP traffic detected without corresponding DNS query: 176.136.18.174
Source: unknown	TCP traffic detected without corresponding DNS query: 95.2.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 197.117.13.64
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.163.155
Source: unknown	TCP traffic detected without corresponding DNS query: 242.36.164.230
Source: unknown	TCP traffic detected without corresponding DNS query: 186.200.170.6
Source: unknown	TCP traffic detected without corresponding DNS query: 94.33.47.97
Source: unknown	TCP traffic detected without corresponding DNS query: 19.183.144.84
Source: unknown	TCP traffic detected without corresponding DNS query: 142.183.217.180
Source: unknown	TCP traffic detected without corresponding DNS query: 65.118.148.19
Source: unknown	TCP traffic detected without corresponding DNS query: 173.151.241.139

System Summary

Malicious sample detected (through community Yara rule)

Source: Nmg21us74I, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: Nmg21us74I, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: Nmg21us74I, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: Nmg21us74I, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/Nmg21us74I (PID: 6234)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/Nmg21us74I (PID: 6250)	SIGKILL sent: pid: 6234, result: successful
Source: /tmp/Nmg21us74I (PID: 6250)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/Nmg21us74I (PID: 6250)	SIGKILL sent: pid: 759, result: successful

Source: classification engine

Classification label: mal88.troj.evad.lin@0/0@0/0

Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/491/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/793/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/772/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/796/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/774/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/797/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/777/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/799/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/658/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/912/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/759/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/936/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/918/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/1/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/761/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/785/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/884/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/720/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/721/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/788/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/789/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/800/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/801/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/847/fd
Source: /tmp/Nmg21us74I (PID: 6234)	File opened: /proc/904/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6234/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2033/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2033/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1582/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1582/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2275/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2275/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6191/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6191/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/3088/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6190/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6190/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1612/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1612/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1579/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1579/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1699/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1699/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1335/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1335/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1698/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1698/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2028/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2028/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1334/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1334/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1576/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1576/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2302/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2302/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/3236/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/3236/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2025/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2025/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2146/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2146/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/910/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/912/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/912/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/912/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/759/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/759/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/759/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/517/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2307/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2307/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/918/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/918/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/918/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6243/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/6244/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1594/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1594/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2285/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2285/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2281/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2281/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1349/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1349/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1623/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1623/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/761/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/761/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/761/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1622/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1622/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/884/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/884/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/884/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1983/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1983/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2038/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/2038/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1586/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1586/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1465/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1465/exe
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1344/fd
Source: /tmp/Nmg21us74I (PID: 6250)	File opened: /proc/1344/exe

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/Nmg21us74I (PID: 6230)

File: /tmp/Nmg21us74I

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46570
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46574
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46590
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46596
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46600
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46602
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46604
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46606
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46608
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55188
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55230
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55232
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55234
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55238
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55240
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 55242

Source: /tmp/Nmg21us74I (PID: 6230)

Queries kernel information via 'uname':

Source: Nmg21us74I, 6230.1.0000565170586000.00005651706b4000.rw-.sdmp, Nmg21us74I, 6234.1.0000565170586000.00005651706b4000.rw-.sdmp, Nmg21us74I, 6236.1.0000565170586000.00005651706b4000.rw-.sdmp, Nmg21us74I, 6252.1.0000565170586000.00005651706b4000.rw-.sdmp	Binary or memory string: YpQV!/etc/qemu-binfmt/arm
Source: Nmg21us74I, 6230.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp, Nmg21us74I, 6234.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp, Nmg21us74I, 6236.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp, Nmg21us74I, 6252.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp	Binary or memory string: K x86_64/usr/bin/qemu-arm/tmp/Nmg21us74ISUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Nmg21us74I
Source: Nmg21us74I, 6230.1.0000565170586000.00005651706b4000.rw-.sdmp, Nmg21us74I, 6234.1.0000565170586000.00005651706b4000.rw-.sdmp, Nmg21us74I, 6236.1.0000565170586000.00005651706b4000.rw-.sdmp, Nmg21us74I, 6252.1.0000565170586000.00005651706b4000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Nmg21us74I, 6230.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp, Nmg21us74I, 6234.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp, Nmg21us74I, 6236.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp, Nmg21us74I, 6252.1.00007ffdcab61000.00007ffdcab82000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Nmg21us74I, type: SAMPLE
Source: Yara match	File source: 6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Nmg21us74I, type: SAMPLE
Source: Yara match	File source: 6234.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6230.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6252.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6236.1.00007f86f4017000.00007f86f4027000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Nmg21us74I	58%	Virustotal		Browse
Nmg21us74I	68%	ReversingLabs	Linux.Trojan.Mirai
Nmg21us74I	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
105.22.224.11	unknown	Mauritius	37100	SEACOM-ASMU	false
245.116.1.135	unknown	Reserved	unknown	unknown	false
222.233.103.170	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
246.9.2.21	unknown	Reserved	unknown	unknown	false
157.3.239.204	unknown	Japan	7671	MCNETNTTSmartConnectCorporationJP	false
108.178.45.135	unknown	United States	32475	SINGLEHOP-LLCUS	false
18.229.102.137	unknown	United States	16509	AMAZON-02US	false
32.160.66.218	unknown	United States	2686	ATGS-MMD-ASUS	false
53.16.36.106	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
76.28.59.66	unknown	United States	7922	COMCAST-7922US	false
121.92.158.157	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
223.201.67.26	unknown	China	4782	GSNETDataCommunicationBusinessGroupTW	false
246.109.35.181	unknown	Reserved	unknown	unknown	false
141.52.191.37	unknown	Germany	34878	KITKarlsruheInstituteofTechnologyDE	false
77.69.178.110	unknown	Bahrain	5416	InternetServiceProviderBH	false
133.192.104.39	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
32.48.63.177	unknown	United States	7018	ATT-INTERNET4US	false
75.36.168.76	unknown	United States	7018	ATT-INTERNET4US	false
100.173.129.169	unknown	United States	21928	T-MOBILE-AS21928US	false
141.227.0.199	unknown	France	21070	TOTALFR	false
120.169.246.82	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
209.92.249.69	unknown	United States	7029	WINDSTREAMUS	false
54.140.144.36	unknown	United States	14618	AMAZON-AESUS	false
111.231.40.22	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
254.106.28.224	unknown	Reserved	unknown	unknown	false
166.117.52.131	unknown	United States	58681	NSWPOLSERV-AS-APNewSouthWalesPoliceAU	false
196.135.11.103	unknown	Egypt	36935	Vodafone-EG	false
104.80.152.99	unknown	United States	16625	AKAMAI-ASUS	false
98.173.208.29	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
179.53.118.76	unknown	Dominican Republic	6400	CompaniaDominicanadeTelefonosSADO	false
90.192.140.251	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
16.11.95.214	unknown	United States	unknown	unknown	false
186.178.15.174	unknown	Ecuador	28006	CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC	false
13.71.171.245	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
94.146.159.116	unknown	Denmark	9158	TELENOR_DANMARK_ASDK	false
118.150.116.140	unknown	Taiwan; Republic of China (ROC)	18419	DADA-AS-TWDaDaBroadbandLTDTW	false
170.131.82.35	unknown	United States	13954	STAPLESUS	false
89.248.107.35	unknown	Spain	48348	CLOUDBUILDERSES	false
197.53.119.202	unknown	Egypt	8452	TE-ASTE-ASEG	false
57.5.138.225	unknown	Belgium	2686	ATGS-MMD-ASUS	false
191.153.57.180	unknown	Colombia	26611	COMCELSACO	false
93.123.76.73	unknown	Bulgaria	43561	NET1-ASBG	false
208.41.137.69	unknown	United States	4565	MEGAPATH2-US	false
197.161.195.3	unknown	Egypt	24863	LINKdotNET-ASEG	false
220.65.188.96	unknown	Korea Republic of	9316	DACOM-PUBNETPLUS-AS-KRDACOM-PUBNETPLUSKR	false
81.211.32.43	unknown	Russian Federation	3216	SOVAM-ASRU	false
117.142.30.125	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
203.54.162.175	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
88.125.239.228	unknown	France	12322	PROXADFR	false
210.84.92.204	unknown	Australia	703	UUNETUS	false
73.233.169.114	unknown	United States	7922	COMCAST-7922US	false
51.14.10.117	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
124.28.140.227	unknown	Korea Republic of	23578	NAMDONGNET-AS-KRTBROADSaeromNamdongSeohaebroadcastingKR	false
162.119.15.38	unknown	United States	3379	KAISER-NCALUS	false
185.41.237.242	unknown	Belgium	199942	CHEOPSBE	false
45.1.177.213	unknown	United States	7377	UCSDUS	false
43.110.214.123	unknown	Japan	4249	LILLY-ASUS	false
14.245.235.120	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
111.208.128.52	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
72.137.191.183	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
160.39.196.228	unknown	United States	14	COLUMBIA-GWUS	false
181.104.155.22	unknown	Argentina	6147	TelefonicadelPeruSAAPE	false
82.221.170.8	unknown	Iceland	30818	IS-ADVANIA-TRANSITIS	false
66.141.134.12	unknown	United States	7018	ATT-INTERNET4US	false
121.137.201.237	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
172.7.251.188	unknown	United States	7018	ATT-INTERNET4US	false
252.163.150.243	unknown	Reserved	unknown	unknown	false
122.114.141.69	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
153.161.19.176	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
124.94.70.87	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
75.50.159.107	unknown	United States	7018	ATT-INTERNET4US	false
162.5.54.167	unknown	United States	33348	PIERCE-COUNTYUS	false
201.68.106.106	unknown	Brazil	27699	TELEFONICABRASILSABR	false
44.78.82.191	unknown	United States	7377	UCSDUS	false
67.0.96.13	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
244.53.184.180	unknown	Reserved	unknown	unknown	false
151.168.66.12	unknown	United States	45025	EDN-ASUA	false
112.107.186.81	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
145.22.219.194	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
61.230.253.244	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
35.25.130.31	unknown	United States	36375	UMICH-AS-5US	false
72.155.239.236	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
87.203.200.222	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	false
69.234.250.41	unknown	China	7018	ATT-INTERNET4US	false
36.96.13.140	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
9.215.94.18	unknown	United States	3356	LEVEL3US	false
213.121.90.101	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
152.50.33.117	unknown	United States	81	NCRENUS	false
194.194.0.57	unknown	European Union	2686	ATGS-MMD-ASUS	false
243.144.161.246	unknown	Reserved	unknown	unknown	false
159.86.109.59	unknown	United Kingdom	1945	FR-LYRESLyonRechercheetEnseignementSuperieurLyRESE	false
75.10.61.95	unknown	United States	7018	ATT-INTERNET4US	false
113.20.55.68	unknown	New Caledonia	45461	TELENET-AS-APTeleNetNC	false
117.71.137.154	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
182.9.51.16	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
93.56.245.69	unknown	Italy	12874	FASTWEBIT	false
24.75.110.232	unknown	United States	3356	LEVEL3US	false
121.45.181.169	unknown	Australia	4739	INTERNODE-ASInternodePtyLtdAU	false
112.167.3.3	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
197.204.101.39	unknown	Algeria	36947	ALGTEL-ASDZ	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.056530017553513
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Nmg21us74I
File size:	63948
MD5:	01ec15a16805e0b57d0ef42097dca5ec
SHA1:	d9ea867164e9ad0c1901b85c8f18174743e1a0b4
SHA256:	a3946c00d0daf54a7e99a22e731dbc7977936ef6c9591dd0ae2a45632626b357
SHA512:	d00a10fb66a353b990d03e0493b049f922b3c736ccfb88e40b4da84a398a48c99b2115f5eb2185ebf08bb062511927db0003ad567859ab47d2c25816eba28912
SSDEEP:	768:zHnEczUZv4tZy6hQfyjXI8CMRxYVsx/DeiZvspz1Y3W7wCVy/Jx+5H8hG1rmCd/4:rEFZEZyjyj48NCiZvsphYceZWTMWCBW
TLSH:	D453F8827D81AA16C7C05777FE1F018D3319A798E0EA73438C191BA17ACED1F0D6B65A
File Content Preview:	.ELF...a..........(.........4...<.......4. ...(.....................................................,...............Q.td..................................-...L."....:..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	63548
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xea50	0x0	0x6	AX	16
.fini	PROGBITS	0x16b00	0xeb00	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x16b14	0xeb14	0xab8	0x0	0x2	A	4
.ctors	PROGBITS	0x1f5d0	0xf5d0	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1f5d8	0xf5d8	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1f5e4	0xf5e4	0x218	0x0	0x3	WA	4
.bss	NOBITS	0x1f7fc	0xf7fc	0x578	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xf7fc	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xf5cc	0xf5cc	6.0810	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0xf5d0	0x1f5d0	0x1f5d0	0x22c	0x7a4	2.9355	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 22:23:04.812733889 CEST	42836	443	192.168.2.23	91.189.91.43
Aug 5, 2022 22:23:05.068660021 CEST	42516	80	192.168.2.23	109.202.202.202
Aug 5, 2022 22:23:08.000996113 CEST	33775	23	192.168.2.23	247.69.125.15
Aug 5, 2022 22:23:08.001143932 CEST	33775	23	192.168.2.23	89.62.97.13
Aug 5, 2022 22:23:08.001148939 CEST	33775	23	192.168.2.23	201.64.150.235
Aug 5, 2022 22:23:08.001164913 CEST	33775	23	192.168.2.23	99.33.248.85
Aug 5, 2022 22:23:08.001185894 CEST	33775	23	192.168.2.23	201.133.179.101
Aug 5, 2022 22:23:08.001262903 CEST	33775	23	192.168.2.23	123.213.193.207
Aug 5, 2022 22:23:08.001267910 CEST	33775	23	192.168.2.23	1.55.165.112
Aug 5, 2022 22:23:08.001277924 CEST	33775	23	192.168.2.23	24.220.186.101
Aug 5, 2022 22:23:08.001302004 CEST	33775	23	192.168.2.23	171.190.215.92
Aug 5, 2022 22:23:08.001327038 CEST	33775	23	192.168.2.23	74.219.179.190
Aug 5, 2022 22:23:08.001328945 CEST	33775	23	192.168.2.23	68.55.130.165
Aug 5, 2022 22:23:08.001338959 CEST	33775	23	192.168.2.23	185.134.162.198
Aug 5, 2022 22:23:08.001343966 CEST	33775	23	192.168.2.23	186.120.206.202
Aug 5, 2022 22:23:08.001388073 CEST	33775	23	192.168.2.23	77.237.72.112
Aug 5, 2022 22:23:08.001415968 CEST	33775	23	192.168.2.23	174.100.78.43
Aug 5, 2022 22:23:08.001435041 CEST	33775	23	192.168.2.23	223.213.17.120
Aug 5, 2022 22:23:08.001441002 CEST	33775	23	192.168.2.23	115.70.188.226
Aug 5, 2022 22:23:08.001473904 CEST	33775	23	192.168.2.23	246.88.72.79
Aug 5, 2022 22:23:08.001493931 CEST	33775	23	192.168.2.23	74.4.255.140
Aug 5, 2022 22:23:08.001499891 CEST	33775	23	192.168.2.23	102.96.34.54
Aug 5, 2022 22:23:08.001516104 CEST	33775	23	192.168.2.23	32.126.77.119
Aug 5, 2022 22:23:08.001543999 CEST	33775	23	192.168.2.23	112.187.57.147
Aug 5, 2022 22:23:08.001579046 CEST	33775	23	192.168.2.23	203.108.232.50
Aug 5, 2022 22:23:08.001606941 CEST	33775	23	192.168.2.23	193.38.42.40
Aug 5, 2022 22:23:08.001655102 CEST	33775	23	192.168.2.23	247.249.136.144
Aug 5, 2022 22:23:08.001668930 CEST	33775	23	192.168.2.23	92.175.108.39
Aug 5, 2022 22:23:08.001677990 CEST	33775	23	192.168.2.23	217.67.41.171
Aug 5, 2022 22:23:08.001705885 CEST	33775	23	192.168.2.23	14.179.207.111
Aug 5, 2022 22:23:08.001739979 CEST	33775	23	192.168.2.23	40.187.84.210
Aug 5, 2022 22:23:08.002356052 CEST	33775	23	192.168.2.23	16.28.78.124
Aug 5, 2022 22:23:08.002379894 CEST	33775	23	192.168.2.23	176.2.125.141
Aug 5, 2022 22:23:08.002427101 CEST	33775	23	192.168.2.23	46.15.198.202
Aug 5, 2022 22:23:08.002443075 CEST	33775	23	192.168.2.23	190.75.209.114
Aug 5, 2022 22:23:08.004472017 CEST	33775	23	192.168.2.23	117.38.60.242
Aug 5, 2022 22:23:08.004477024 CEST	33775	23	192.168.2.23	167.69.41.250
Aug 5, 2022 22:23:08.004506111 CEST	33775	23	192.168.2.23	161.24.53.149
Aug 5, 2022 22:23:08.004513025 CEST	33775	23	192.168.2.23	83.225.24.201
Aug 5, 2022 22:23:08.004525900 CEST	33775	23	192.168.2.23	176.136.18.174
Aug 5, 2022 22:23:08.004544020 CEST	33775	23	192.168.2.23	59.246.10.175
Aug 5, 2022 22:23:08.004587889 CEST	33775	23	192.168.2.23	95.2.3.253
Aug 5, 2022 22:23:08.004616976 CEST	33775	23	192.168.2.23	197.117.13.64
Aug 5, 2022 22:23:08.004616022 CEST	33775	23	192.168.2.23	193.219.10.16
Aug 5, 2022 22:23:08.004647970 CEST	33775	23	192.168.2.23	255.10.234.164
Aug 5, 2022 22:23:08.004654884 CEST	33775	23	192.168.2.23	117.20.163.155
Aug 5, 2022 22:23:08.004657984 CEST	33775	23	192.168.2.23	242.36.164.230
Aug 5, 2022 22:23:08.004687071 CEST	33775	23	192.168.2.23	186.200.170.6
Aug 5, 2022 22:23:08.004698038 CEST	33775	23	192.168.2.23	94.33.47.97
Aug 5, 2022 22:23:08.004736900 CEST	33775	23	192.168.2.23	19.183.144.84
Aug 5, 2022 22:23:08.004743099 CEST	33775	23	192.168.2.23	142.183.217.180
Aug 5, 2022 22:23:08.004750013 CEST	33775	23	192.168.2.23	65.118.148.19
Aug 5, 2022 22:23:08.004770041 CEST	33775	23	192.168.2.23	173.151.241.139
Aug 5, 2022 22:23:08.004774094 CEST	33775	23	192.168.2.23	69.168.167.79
Aug 5, 2022 22:23:08.004775047 CEST	33775	23	192.168.2.23	176.139.44.160
Aug 5, 2022 22:23:08.004789114 CEST	33775	23	192.168.2.23	149.192.46.215
Aug 5, 2022 22:23:08.004796028 CEST	33775	23	192.168.2.23	175.242.2.141
Aug 5, 2022 22:23:08.004805088 CEST	33775	23	192.168.2.23	8.46.145.43
Aug 5, 2022 22:23:08.004832029 CEST	33775	23	192.168.2.23	71.185.19.208
Aug 5, 2022 22:23:08.004858017 CEST	33775	23	192.168.2.23	246.93.180.34
Aug 5, 2022 22:23:08.004869938 CEST	33775	23	192.168.2.23	142.154.105.13
Aug 5, 2022 22:23:08.004884958 CEST	33775	23	192.168.2.23	243.229.146.92
Aug 5, 2022 22:23:08.004884958 CEST	33775	23	192.168.2.23	114.122.111.179
Aug 5, 2022 22:23:08.004911900 CEST	33775	23	192.168.2.23	44.60.110.162
Aug 5, 2022 22:23:08.004924059 CEST	33775	23	192.168.2.23	249.64.13.200
Aug 5, 2022 22:23:08.004990101 CEST	33775	23	192.168.2.23	23.16.247.61
Aug 5, 2022 22:23:08.005002975 CEST	33775	23	192.168.2.23	135.33.19.64
Aug 5, 2022 22:23:08.005023003 CEST	33775	23	192.168.2.23	14.138.57.47
Aug 5, 2022 22:23:08.005029917 CEST	33775	23	192.168.2.23	116.101.219.134
Aug 5, 2022 22:23:08.005039930 CEST	33775	23	192.168.2.23	111.36.109.149
Aug 5, 2022 22:23:08.005073071 CEST	33775	23	192.168.2.23	148.142.140.111
Aug 5, 2022 22:23:08.005088091 CEST	33775	23	192.168.2.23	249.144.151.180
Aug 5, 2022 22:23:08.005100965 CEST	33775	23	192.168.2.23	186.78.38.128
Aug 5, 2022 22:23:08.005111933 CEST	33775	23	192.168.2.23	67.255.197.100
Aug 5, 2022 22:23:08.005132914 CEST	33775	23	192.168.2.23	93.217.14.95
Aug 5, 2022 22:23:08.005153894 CEST	33775	23	192.168.2.23	243.167.218.87
Aug 5, 2022 22:23:08.005162954 CEST	33775	23	192.168.2.23	66.89.19.137
Aug 5, 2022 22:23:08.005170107 CEST	33775	23	192.168.2.23	196.170.83.100
Aug 5, 2022 22:23:08.005192995 CEST	33775	23	192.168.2.23	99.63.243.34
Aug 5, 2022 22:23:08.005225897 CEST	33775	23	192.168.2.23	93.246.24.158
Aug 5, 2022 22:23:08.005237103 CEST	33775	23	192.168.2.23	208.57.43.157
Aug 5, 2022 22:23:08.005249977 CEST	33775	23	192.168.2.23	72.254.89.34
Aug 5, 2022 22:23:08.005268097 CEST	33775	23	192.168.2.23	131.253.49.46
Aug 5, 2022 22:23:08.005280972 CEST	33775	23	192.168.2.23	193.105.74.102
Aug 5, 2022 22:23:08.005290985 CEST	33775	23	192.168.2.23	122.251.67.178
Aug 5, 2022 22:23:08.005294085 CEST	33775	23	192.168.2.23	64.56.252.111
Aug 5, 2022 22:23:08.005306005 CEST	33775	23	192.168.2.23	200.187.16.47
Aug 5, 2022 22:23:08.005346060 CEST	33775	23	192.168.2.23	158.93.232.145
Aug 5, 2022 22:23:08.005358934 CEST	33775	23	192.168.2.23	201.110.197.145
Aug 5, 2022 22:23:08.005377054 CEST	33775	23	192.168.2.23	111.116.87.159
Aug 5, 2022 22:23:08.005379915 CEST	33775	23	192.168.2.23	12.142.42.20
Aug 5, 2022 22:23:08.005382061 CEST	33775	23	192.168.2.23	117.43.104.140
Aug 5, 2022 22:23:08.005394936 CEST	33775	23	192.168.2.23	90.237.150.122
Aug 5, 2022 22:23:08.005400896 CEST	33775	23	192.168.2.23	174.192.134.47
Aug 5, 2022 22:23:08.005407095 CEST	33775	23	192.168.2.23	12.119.98.186
Aug 5, 2022 22:23:08.005415916 CEST	33775	23	192.168.2.23	40.241.249.249
Aug 5, 2022 22:23:08.005466938 CEST	33775	23	192.168.2.23	147.123.207.193
Aug 5, 2022 22:23:08.005481005 CEST	33775	23	192.168.2.23	243.57.229.9
Aug 5, 2022 22:23:08.005502939 CEST	33775	23	192.168.2.23	46.36.212.62
Aug 5, 2022 22:23:08.005508900 CEST	33775	23	192.168.2.23	53.250.143.203

System Behavior

Analysis Process: Nmg21us74I PID: 6230, Parent PID: 6123

General

Start time:	22:23:04
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	/tmp/Nmg21us74I
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6234, Parent PID: 6230

General

Start time:	22:23:07
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6236, Parent PID: 6230

General

Start time:	22:23:07
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6238, Parent PID: 6230

General

Start time:	22:23:07
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6241, Parent PID: 6230

General

Start time:	22:23:07
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6250, Parent PID: 6241

General

Start time:	22:23:14
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6252, Parent PID: 6241

General

Start time:	22:23:14
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: Nmg21us74I PID: 6253, Parent PID: 6241

General

Start time:	22:23:14
Start date:	05/08/2022
Path:	/tmp/Nmg21us74I
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Nmg21us74I

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Nmg21us74I PID: 6230, Parent PID: 6123

General

Analysis Process: Nmg21us74I PID: 6234, Parent PID: 6230

General

Analysis Process: Nmg21us74I PID: 6236, Parent PID: 6230

General

Analysis Process: Nmg21us74I PID: 6238, Parent PID: 6230

General

Analysis Process: Nmg21us74I PID: 6241, Parent PID: 6230

General

Analysis Process: Nmg21us74I PID: 6250, Parent PID: 6241

General

Analysis Process: Nmg21us74I PID: 6252, Parent PID: 6241

General

Analysis Process: Nmg21us74I PID: 6253, Parent PID: 6241

General

Linux Analysis Report
Nmg21us74I