Edit tour

Linux Analysis Report
LxfGfOr9r6

Overview

General Information

Sample Name:	LxfGfOr9r6
Analysis ID:	679618
MD5:	a6a6579914345f3a3f6aa3663ee67e11
SHA1:	9b7656bb68fc7b06169e59644b3fb90d80a641f9
SHA256:	8f0bc7d0a706edd460cde7cdb729814412e45b9e1c9344fba7e7eca9f1bce528
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679618
Start date and time: 06/08/202206:38:12	2022-08-06 06:38:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	LxfGfOr9r6
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.troj.lin@0/0@48/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/LxfGfOr9r6
PID:	6228
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

LxfGfOr9r6 (PID: 6228, Parent: 6125, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/LxfGfOr9r6

LxfGfOr9r6 New Fork (PID: 6230, Parent: 6228)

LxfGfOr9r6 New Fork (PID: 6231, Parent: 6228)

LxfGfOr9r6 New Fork (PID: 6232, Parent: 6228)

LxfGfOr9r6 New Fork (PID: 6234, Parent: 6228)

LxfGfOr9r6 New Fork (PID: 6239, Parent: 6234)

LxfGfOr9r6 New Fork (PID: 6328, Parent: 6239)

LxfGfOr9r6 New Fork (PID: 6240, Parent: 6234)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LxfGfOr9r6	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6240.1.00007f097c001000.00007f097c018000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6228.1.00007f097c001000.00007f097c018000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6328.1.00007f097c001000.00007f097c018000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: LxfGfOr9r6

Virustotal: Detection: 50%

Perma Link

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312

Source: /tmp/LxfGfOr9r6 (PID: 6228)	Socket: 127.0.0.1::1312
Source: /tmp/LxfGfOr9r6 (PID: 6239)	Socket: 0.0.0.0::0

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 182.212.162.196
Source: unknown	TCP traffic detected without corresponding DNS query: 170.70.176.196
Source: unknown	TCP traffic detected without corresponding DNS query: 184.208.52.196
Source: unknown	TCP traffic detected without corresponding DNS query: 149.122.148.189
Source: unknown	TCP traffic detected without corresponding DNS query: 119.237.15.53
Source: unknown	TCP traffic detected without corresponding DNS query: 18.90.116.15
Source: unknown	TCP traffic detected without corresponding DNS query: 125.255.186.227
Source: unknown	TCP traffic detected without corresponding DNS query: 69.237.77.192
Source: unknown	TCP traffic detected without corresponding DNS query: 220.254.218.102
Source: unknown	TCP traffic detected without corresponding DNS query: 79.153.238.131
Source: unknown	TCP traffic detected without corresponding DNS query: 57.12.238.183
Source: unknown	TCP traffic detected without corresponding DNS query: 106.81.138.170
Source: unknown	TCP traffic detected without corresponding DNS query: 158.192.89.15
Source: unknown	TCP traffic detected without corresponding DNS query: 179.142.233.52
Source: unknown	TCP traffic detected without corresponding DNS query: 99.33.131.140
Source: unknown	TCP traffic detected without corresponding DNS query: 198.24.228.208
Source: unknown	TCP traffic detected without corresponding DNS query: 66.153.92.242
Source: unknown	TCP traffic detected without corresponding DNS query: 117.81.234.178
Source: unknown	TCP traffic detected without corresponding DNS query: 112.30.58.202
Source: unknown	TCP traffic detected without corresponding DNS query: 114.40.120.20
Source: unknown	TCP traffic detected without corresponding DNS query: 72.174.97.188
Source: unknown	TCP traffic detected without corresponding DNS query: 19.232.112.198
Source: unknown	TCP traffic detected without corresponding DNS query: 113.25.4.238
Source: unknown	TCP traffic detected without corresponding DNS query: 14.7.53.190
Source: unknown	TCP traffic detected without corresponding DNS query: 23.16.231.136
Source: unknown	TCP traffic detected without corresponding DNS query: 86.136.66.37
Source: unknown	TCP traffic detected without corresponding DNS query: 192.136.184.43
Source: unknown	TCP traffic detected without corresponding DNS query: 190.128.142.230
Source: unknown	TCP traffic detected without corresponding DNS query: 72.166.196.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.108.89.34
Source: unknown	TCP traffic detected without corresponding DNS query: 169.63.92.163
Source: unknown	TCP traffic detected without corresponding DNS query: 117.190.206.254
Source: unknown	TCP traffic detected without corresponding DNS query: 183.122.155.210
Source: unknown	TCP traffic detected without corresponding DNS query: 193.167.89.128
Source: unknown	TCP traffic detected without corresponding DNS query: 80.207.188.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.158.142.250
Source: unknown	TCP traffic detected without corresponding DNS query: 167.139.113.59
Source: unknown	TCP traffic detected without corresponding DNS query: 74.142.140.23
Source: unknown	TCP traffic detected without corresponding DNS query: 249.93.172.43
Source: unknown	TCP traffic detected without corresponding DNS query: 146.106.136.12
Source: unknown	TCP traffic detected without corresponding DNS query: 103.29.222.19
Source: unknown	TCP traffic detected without corresponding DNS query: 78.117.198.49
Source: unknown	TCP traffic detected without corresponding DNS query: 77.37.118.145
Source: unknown	TCP traffic detected without corresponding DNS query: 179.133.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 203.56.127.2
Source: unknown	TCP traffic detected without corresponding DNS query: 46.88.253.194
Source: unknown	TCP traffic detected without corresponding DNS query: 2.133.14.183
Source: unknown	TCP traffic detected without corresponding DNS query: 251.217.142.17
Source: unknown	TCP traffic detected without corresponding DNS query: 96.72.106.135
Source: unknown	TCP traffic detected without corresponding DNS query: 241.165.134.90

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/LxfGfOr9r6 (PID: 6239)

SIGKILL sent: pid: 936, result: successful

Source: Initial sample	String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: >>retrieve/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'

Source: classification engine

Classification label: mal64.troj.lin@0/0@48/0

Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/491/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/793/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/772/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/796/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/774/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/797/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/777/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/799/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/658/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/912/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/759/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/936/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/918/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/1/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/761/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/785/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/884/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/720/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/721/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/788/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/789/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/800/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/801/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/847/fd
Source: /tmp/LxfGfOr9r6 (PID: 6239)	File opened: /proc/904/fd

Source: /tmp/LxfGfOr9r6 (PID: 6228)

Queries kernel information via 'uname':

Source: LxfGfOr9r6, 6228.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6328.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6240.1.00005576c4867000.00005576c48ec000.rw-.sdmp	Binary or memory string: vU!/etc/qemu-binfmt/m68k
Source: LxfGfOr9r6, 6228.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6328.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6240.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: LxfGfOr9r6, 6228.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6328.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp, LxfGfOr9r6, 6240.1.00007ffe5901f000.00007ffe59040000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/LxfGfOr9r6SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/LxfGfOr9r6
Source: LxfGfOr9r6, 6228.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6328.1.00005576c4867000.00005576c48ec000.rw-.sdmp, LxfGfOr9r6, 6240.1.00005576c4867000.00005576c48ec000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: LxfGfOr9r6, type: SAMPLE
Source: Yara match	File source: 6240.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6228.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6328.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: LxfGfOr9r6, type: SAMPLE
Source: Yara match	File source: 6240.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6228.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6328.1.00007f097c001000.00007f097c018000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LxfGfOr9r6	51%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	12%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	46.23.109.40	true	true	12%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
24.248.177.23	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
59.1.141.13	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
46.34.150.41	unknown	Russian Federation	8492	OBIT-ASOBITLtdRU	false
76.227.143.237	unknown	United States	7018	ATT-INTERNET4US	false
38.217.51.210	unknown	United States	174	COGENT-174US	false
152.71.209.240	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
244.75.164.126	unknown	Reserved	unknown	unknown	false
98.10.210.66	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
77.11.97.25	unknown	Germany	6805	TDDE-ASN1DE	false
141.126.207.100	unknown	United States	20115	CHARTER-20115US	false
154.165.199.187	unknown	Ghana	30986	SCANCOMGH	false
157.91.221.217	unknown	United States	1767	ILIGHT-NETUS	false
177.110.235.117	unknown	Brazil	26615	TIMSABR	false
69.131.200.183	unknown	United States	4181	TDS-ASUS	false
125.184.32.102	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
83.109.79.253	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
182.67.111.205	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
191.160.203.230	unknown	Brazil	26615	TIMSABR	false
156.97.115.154	unknown	Chile	16629	CTCCORPSATELEFONICAEMPRESASCL	false
209.216.88.25	unknown	United States	22549	TBDSL-01US	false
75.84.125.27	unknown	United States	20001	TWC-20001-PACWESTUS	false
201.239.99.189	unknown	Chile	22047	VTRBANDAANCHASACL	false
147.189.118.50	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
109.84.171.197	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
149.210.216.115	unknown	Netherlands	20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
209.195.34.30	unknown	United States	6597	CBDC-6597US	false
53.47.79.45	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
61.106.75.80	unknown	Korea Republic of	9943	KNCTV-ASKangNamCableTVKR	false
136.96.77.194	unknown	United States	60311	ONEFMCH	false
152.31.80.223	unknown	United States	6559	NCIHUS	false
143.2.114.89	unknown	United States	11003	PANDGUS	false
141.47.146.196	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
207.1.98.117	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
207.114.244.71	unknown	United States	15292	LIFESIZEUS	false
19.130.7.95	unknown	United States	3	MIT-GATEWAYSUS	false
82.186.137.172	unknown	Italy	3269	ASN-IBSNAZIT	false
31.85.38.42	unknown	United Kingdom	12576	EELtdGB	false
88.228.3.243	unknown	Turkey	9121	TTNETTR	false
98.53.252.212	unknown	United States	7922	COMCAST-7922US	false
177.124.101.190	unknown	Brazil	52617	WFCOMERCIODESUPRIMENTOSDEINFORMATICALTDABR	false
86.251.252.121	unknown	France	3215	FranceTelecom-OrangeFR	false
136.45.143.121	unknown	United States	16591	GOOGLE-FIBERUS	false
123.128.154.45	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
159.51.229.159	unknown	Germany	20561	AS20561-INADE	false
118.235.135.111	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
188.199.66.32	unknown	Slovenia	5603	SIOL-NETTelekomSlovenijeddSI	false
19.237.174.84	unknown	United States	3	MIT-GATEWAYSUS	false
13.225.136.141	unknown	United States	16509	AMAZON-02US	false
255.219.101.59	unknown	Reserved	unknown	unknown	false
42.64.126.222	unknown	Taiwan; Republic of China (ROC)	4249	LILLY-ASUS	false
9.165.62.165	unknown	United States	3356	LEVEL3US	false
221.182.222.246	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
12.194.48.32	unknown	United States	8030	WORLDNET5-10US	false
161.51.227.255	unknown	United States	16525	KBRUS	false
1.96.96.196	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
99.227.190.159	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
46.103.57.45	unknown	Greece	3329	HOL-GRAthensGreeceGR	false
116.5.97.26	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
88.89.170.32	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
69.203.119.147	unknown	United States	12271	TWC-12271-NYCUS	false
17.200.5.128	unknown	United States	714	APPLE-ENGINEERINGUS	false
104.119.246.22	unknown	United States	16625	AKAMAI-ASUS	false
193.128.174.108	unknown	United Kingdom	702	UUNETUS	false
182.20.170.123	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
128.8.55.84	unknown	United States	27	UMDNETUS	false
194.23.108.6	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
173.11.223.22	unknown	United States	7922	COMCAST-7922US	false
135.43.26.41	unknown	United States	8030	WORLDNET5-10US	false
199.30.171.213	unknown	United States	13337	EVWI-NET-01US	false
23.219.94.244	unknown	United States	16625	AKAMAI-ASUS	false
205.164.254.239	unknown	United States	174	COGENT-174US	false
1.190.106.84	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
198.163.126.0	unknown	Canada	53443	CITY-OF-WINNIPEGCA	false
46.152.198.116	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
95.44.121.65	unknown	Ireland	5466	EIRCOMInternetHouseIE	false
219.242.193.99	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
170.92.57.104	unknown	United States	16595	TOROUS	false
223.211.122.194	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
176.237.112.153	unknown	Turkey	16135	TURKCELL-ASTurkcellASTR	false
63.20.97.235	unknown	United States	701	UUNETUS	false
181.210.230.135	unknown	Honduras	7727	HondutelHN	false
92.48.31.65	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
92.128.153.129	unknown	France	3215	FranceTelecom-OrangeFR	false
223.34.72.151	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
99.119.115.88	unknown	United States	7018	ATT-INTERNET4US	false
193.227.223.120	unknown	Poland	12966	PolskieLinieLotniczeLOTPL	false
247.76.179.180	unknown	Reserved	unknown	unknown	false
78.52.46.188	unknown	Germany	6805	TDDE-ASN1DE	false
114.240.17.20	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
140.235.31.103	unknown	Reserved	6932	EBSCOPUBUS	false
101.160.35.91	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
208.217.74.14	unknown	United States	701	UUNETUS	false
161.69.90.38	unknown	United States	7754	MCAFEEUS	false
247.134.43.201	unknown	Reserved	unknown	unknown	false
141.79.232.208	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
220.167.243.17	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
158.225.179.58	unknown	Germany	702	UUNETUS	false
188.163.235.142	unknown	Ukraine	15895	KSNET-ASUA	false
104.36.207.50	unknown	United States	1640	TGTELUS	false
98.10.209.44	unknown	United States	11351	TWC-11351-NORTHEASTUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.376536609867213
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	LxfGfOr9r6
File size:	92692
MD5:	a6a6579914345f3a3f6aa3663ee67e11
SHA1:	9b7656bb68fc7b06169e59644b3fb90d80a641f9
SHA256:	8f0bc7d0a706edd460cde7cdb729814412e45b9e1c9344fba7e7eca9f1bce528
SHA512:	439a63097e60c41d599568c6ab6974fb3a889b09cf6356e81405886ee6a34c49502a5c6bd12b0675bb429ea8b6a95690b581e804da95330cb8f474fb1169d89c
SSDEEP:	1536:fovGApny8PGNrq0Arhc2TppCal8tayo3i/o/C1x2bPSlbc411YyK8:fovFpy868tNpCapooK1s14bzK8
TLSH:	02935CC6BC00DD3CF84BD77A44630E09B231A3540A531B377A66FE93BD671E469A2E49
File Content Preview:	.ELF.......................D...4..h......4. ...(......................a...a....... .......a4...4...4......2\|...... .dt.Q............................NV..a....da...@.N^NuNV..J9...Df>"y...L QJ.g.X.#....LN."y...L QJ.f.A.....J.g.Hy..a0N.X........DN^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	92292
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x1403e	0x0	0x6	AX	4
.fini	PROGBITS	0x800140e6	0x140e6	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x800140f4	0x140f4	0x203a	0x0	0x2	A	2
.ctors	PROGBITS	0x80018134	0x16134	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8001813c	0x1613c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x80018148	0x16148	0x6fc	0x0	0x3	WA	4
.bss	NOBITS	0x80018844	0x16844	0x2b6c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x16844	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x1612e	0x1612e	6.3953	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x16134	0x80018134	0x80018134	0x710	0x327c	4.5537	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 06:38:57.955658913 CEST	36487	23	192.168.2.23	182.212.162.196
Aug 6, 2022 06:38:57.955697060 CEST	36487	23	192.168.2.23	170.70.176.196
Aug 6, 2022 06:38:57.955707073 CEST	36487	23	192.168.2.23	184.208.52.196
Aug 6, 2022 06:38:57.955715895 CEST	36487	23	192.168.2.23	149.122.148.189
Aug 6, 2022 06:38:57.955782890 CEST	36487	23	192.168.2.23	119.237.15.53
Aug 6, 2022 06:38:57.955781937 CEST	36487	23	192.168.2.23	18.90.116.15
Aug 6, 2022 06:38:57.955785036 CEST	36487	23	192.168.2.23	125.255.186.227
Aug 6, 2022 06:38:57.955781937 CEST	36487	23	192.168.2.23	69.237.77.192
Aug 6, 2022 06:38:57.955795050 CEST	36487	23	192.168.2.23	220.254.218.102
Aug 6, 2022 06:38:57.955835104 CEST	36487	23	192.168.2.23	79.153.238.131
Aug 6, 2022 06:38:57.955837011 CEST	36487	23	192.168.2.23	57.12.238.183
Aug 6, 2022 06:38:57.958296061 CEST	36487	23	192.168.2.23	106.81.138.170
Aug 6, 2022 06:38:57.958300114 CEST	36487	23	192.168.2.23	158.192.89.15
Aug 6, 2022 06:38:57.958308935 CEST	36487	23	192.168.2.23	179.142.233.52
Aug 6, 2022 06:38:57.958348989 CEST	36487	23	192.168.2.23	99.33.131.140
Aug 6, 2022 06:38:57.958355904 CEST	36487	23	192.168.2.23	198.24.228.208
Aug 6, 2022 06:38:57.958357096 CEST	36487	23	192.168.2.23	66.153.92.242
Aug 6, 2022 06:38:57.958388090 CEST	36487	23	192.168.2.23	117.81.234.178
Aug 6, 2022 06:38:57.958399057 CEST	36487	23	192.168.2.23	112.30.58.202
Aug 6, 2022 06:38:57.958405972 CEST	36487	23	192.168.2.23	114.40.120.20
Aug 6, 2022 06:38:57.958434105 CEST	36487	23	192.168.2.23	72.174.97.188
Aug 6, 2022 06:38:57.958441973 CEST	36487	23	192.168.2.23	19.232.112.198
Aug 6, 2022 06:38:57.958462954 CEST	36487	23	192.168.2.23	113.25.4.238
Aug 6, 2022 06:38:57.958467007 CEST	36487	23	192.168.2.23	14.7.53.190
Aug 6, 2022 06:38:57.958471060 CEST	36487	23	192.168.2.23	23.16.231.136
Aug 6, 2022 06:38:57.958492994 CEST	36487	23	192.168.2.23	86.136.66.37
Aug 6, 2022 06:38:57.958515882 CEST	36487	23	192.168.2.23	192.136.184.43
Aug 6, 2022 06:38:57.958522081 CEST	36487	23	192.168.2.23	190.128.142.230
Aug 6, 2022 06:38:57.958561897 CEST	36487	23	192.168.2.23	72.166.196.154
Aug 6, 2022 06:38:57.958561897 CEST	36487	23	192.168.2.23	107.108.89.34
Aug 6, 2022 06:38:57.958584070 CEST	36487	23	192.168.2.23	169.63.92.163
Aug 6, 2022 06:38:57.958584070 CEST	36487	23	192.168.2.23	117.190.206.254
Aug 6, 2022 06:38:57.958595991 CEST	36487	23	192.168.2.23	183.122.155.210
Aug 6, 2022 06:38:57.958614111 CEST	36487	23	192.168.2.23	193.167.89.128
Aug 6, 2022 06:38:57.958616018 CEST	36487	23	192.168.2.23	80.207.188.37
Aug 6, 2022 06:38:57.958653927 CEST	36487	23	192.168.2.23	185.158.142.250
Aug 6, 2022 06:38:57.958661079 CEST	36487	23	192.168.2.23	167.139.113.59
Aug 6, 2022 06:38:57.958683968 CEST	36487	23	192.168.2.23	74.142.140.23
Aug 6, 2022 06:38:57.958709955 CEST	36487	23	192.168.2.23	249.93.172.43
Aug 6, 2022 06:38:57.958720922 CEST	36487	23	192.168.2.23	146.106.136.12
Aug 6, 2022 06:38:57.958728075 CEST	36487	23	192.168.2.23	103.29.222.19
Aug 6, 2022 06:38:57.958739042 CEST	36487	23	192.168.2.23	78.117.198.49
Aug 6, 2022 06:38:57.958748102 CEST	36487	23	192.168.2.23	77.37.118.145
Aug 6, 2022 06:38:57.958755016 CEST	36487	23	192.168.2.23	179.133.123.111
Aug 6, 2022 06:38:57.958764076 CEST	36487	23	192.168.2.23	203.56.127.2
Aug 6, 2022 06:38:57.958766937 CEST	36487	23	192.168.2.23	46.88.253.194
Aug 6, 2022 06:38:57.958774090 CEST	36487	23	192.168.2.23	2.133.14.183
Aug 6, 2022 06:38:57.958785057 CEST	36487	23	192.168.2.23	251.217.142.17
Aug 6, 2022 06:38:57.958787918 CEST	36487	23	192.168.2.23	96.72.106.135
Aug 6, 2022 06:38:57.958806038 CEST	36487	23	192.168.2.23	241.165.134.90
Aug 6, 2022 06:38:57.958807945 CEST	36487	23	192.168.2.23	211.194.86.215
Aug 6, 2022 06:38:57.958812952 CEST	36487	23	192.168.2.23	152.176.187.140
Aug 6, 2022 06:38:57.958817005 CEST	36487	23	192.168.2.23	242.241.39.108
Aug 6, 2022 06:38:57.958823919 CEST	36487	23	192.168.2.23	217.167.168.91
Aug 6, 2022 06:38:57.958827019 CEST	36487	23	192.168.2.23	218.221.110.57
Aug 6, 2022 06:38:57.958833933 CEST	36487	23	192.168.2.23	71.68.84.50
Aug 6, 2022 06:38:57.958837032 CEST	36487	23	192.168.2.23	27.248.249.120
Aug 6, 2022 06:38:57.958848953 CEST	36487	23	192.168.2.23	184.171.39.117
Aug 6, 2022 06:38:57.958857059 CEST	36487	23	192.168.2.23	198.44.240.44
Aug 6, 2022 06:38:57.958863020 CEST	36487	23	192.168.2.23	185.33.216.213
Aug 6, 2022 06:38:57.958864927 CEST	36487	23	192.168.2.23	70.206.143.91
Aug 6, 2022 06:38:57.958873034 CEST	36487	23	192.168.2.23	195.217.245.83
Aug 6, 2022 06:38:57.958877087 CEST	36487	23	192.168.2.23	141.95.171.11
Aug 6, 2022 06:38:57.958919048 CEST	36487	23	192.168.2.23	242.106.250.22
Aug 6, 2022 06:38:57.958924055 CEST	36487	23	192.168.2.23	146.47.171.166
Aug 6, 2022 06:38:57.958925962 CEST	36487	23	192.168.2.23	120.135.163.189
Aug 6, 2022 06:38:57.958925962 CEST	36487	23	192.168.2.23	189.128.177.15
Aug 6, 2022 06:38:57.958933115 CEST	36487	23	192.168.2.23	181.10.49.78
Aug 6, 2022 06:38:57.958933115 CEST	36487	23	192.168.2.23	158.78.225.64
Aug 6, 2022 06:38:57.958935022 CEST	36487	23	192.168.2.23	48.13.147.223
Aug 6, 2022 06:38:57.958935976 CEST	36487	23	192.168.2.23	66.39.235.201
Aug 6, 2022 06:38:57.958936930 CEST	36487	23	192.168.2.23	78.201.23.72
Aug 6, 2022 06:38:57.958954096 CEST	36487	23	192.168.2.23	156.4.59.193
Aug 6, 2022 06:38:57.958959103 CEST	36487	23	192.168.2.23	113.164.20.252
Aug 6, 2022 06:38:57.958971024 CEST	36487	23	192.168.2.23	219.129.44.109
Aug 6, 2022 06:38:57.958998919 CEST	36487	23	192.168.2.23	58.22.16.254
Aug 6, 2022 06:38:57.959008932 CEST	36487	23	192.168.2.23	189.92.201.149
Aug 6, 2022 06:38:57.959022045 CEST	36487	23	192.168.2.23	192.171.208.167
Aug 6, 2022 06:38:57.959036112 CEST	36487	23	192.168.2.23	42.133.27.209
Aug 6, 2022 06:38:57.959042072 CEST	36487	23	192.168.2.23	13.7.215.209
Aug 6, 2022 06:38:57.959048986 CEST	36487	23	192.168.2.23	2.169.224.146
Aug 6, 2022 06:38:57.959100008 CEST	36487	23	192.168.2.23	96.114.165.207
Aug 6, 2022 06:38:57.959239960 CEST	36487	23	192.168.2.23	202.162.220.182
Aug 6, 2022 06:38:57.959244967 CEST	36487	23	192.168.2.23	47.180.130.15
Aug 6, 2022 06:38:57.959278107 CEST	36487	23	192.168.2.23	167.139.146.0
Aug 6, 2022 06:38:57.959278107 CEST	36487	23	192.168.2.23	241.136.125.129
Aug 6, 2022 06:38:57.959285021 CEST	36487	23	192.168.2.23	66.241.34.93
Aug 6, 2022 06:38:57.959286928 CEST	36487	23	192.168.2.23	95.255.140.214
Aug 6, 2022 06:38:57.959290028 CEST	36487	23	192.168.2.23	81.166.95.154
Aug 6, 2022 06:38:57.959292889 CEST	36487	23	192.168.2.23	97.4.105.230
Aug 6, 2022 06:38:57.959295034 CEST	36487	23	192.168.2.23	178.248.178.111
Aug 6, 2022 06:38:57.959306002 CEST	36487	23	192.168.2.23	18.22.78.29
Aug 6, 2022 06:38:57.959327936 CEST	36487	23	192.168.2.23	89.250.139.124
Aug 6, 2022 06:38:57.959328890 CEST	36487	23	192.168.2.23	222.136.123.173
Aug 6, 2022 06:38:57.959336042 CEST	36487	23	192.168.2.23	37.88.249.190
Aug 6, 2022 06:38:57.959340096 CEST	36487	23	192.168.2.23	173.106.118.74
Aug 6, 2022 06:38:57.959362030 CEST	36487	23	192.168.2.23	255.41.217.232
Aug 6, 2022 06:38:57.959369898 CEST	36487	23	192.168.2.23	128.254.28.173
Aug 6, 2022 06:38:57.959382057 CEST	36487	23	192.168.2.23	175.93.129.171
Aug 6, 2022 06:38:57.959383965 CEST	36487	23	192.168.2.23	148.54.47.45

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2022 06:38:58.015841961 CEST	192.168.2.23	8.8.8.8	0xc902	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:03.063251019 CEST	192.168.2.23	8.8.8.8	0xa55c	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:12.112843037 CEST	192.168.2.23	8.8.8.8	0x4b70	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:20.161328077 CEST	192.168.2.23	8.8.8.8	0x7193	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:28.210354090 CEST	192.168.2.23	8.8.8.8	0x1dbd	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:34.258898020 CEST	192.168.2.23	8.8.8.8	0x102	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:37.308526039 CEST	192.168.2.23	8.8.8.8	0x19e1	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:39.358630896 CEST	192.168.2.23	8.8.8.8	0x8660	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:44.408814907 CEST	192.168.2.23	8.8.8.8	0x3d48	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:47.457130909 CEST	192.168.2.23	8.8.8.8	0x1976	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:48.544106007 CEST	192.168.2.23	8.8.8.8	0x4e24	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:51.592320919 CEST	192.168.2.23	8.8.8.8	0x7b4d	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:01.638744116 CEST	192.168.2.23	8.8.8.8	0xaffb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:07.692687988 CEST	192.168.2.23	8.8.8.8	0x27c2	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:13.758572102 CEST	192.168.2.23	8.8.8.8	0xfaef	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:14.807538986 CEST	192.168.2.23	8.8.8.8	0xc2a0	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:19.810678005 CEST	192.168.2.23	8.8.8.8	0xc2a0	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:24.898312092 CEST	192.168.2.23	8.8.8.8	0x7236	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:30.944502115 CEST	192.168.2.23	8.8.8.8	0x94f6	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:32.990680933 CEST	192.168.2.23	8.8.8.8	0x42d7	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:35.037621021 CEST	192.168.2.23	8.8.8.8	0xfef0	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:43.089071989 CEST	192.168.2.23	8.8.8.8	0x9ba	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:48.137229919 CEST	192.168.2.23	8.8.8.8	0x50cb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:54.185642004 CEST	192.168.2.23	8.8.8.8	0x1341	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:56.233990908 CEST	192.168.2.23	8.8.8.8	0xef77	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:57.288228035 CEST	192.168.2.23	8.8.8.8	0x1094	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:02.414253950 CEST	192.168.2.23	8.8.8.8	0xe0af	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:12.473647118 CEST	192.168.2.23	8.8.8.8	0xb651	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:19.522330999 CEST	192.168.2.23	8.8.8.8	0x5aa5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:25.568595886 CEST	192.168.2.23	8.8.8.8	0xa4db	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:30.617033958 CEST	192.168.2.23	8.8.8.8	0xe260	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:39.676574945 CEST	192.168.2.23	8.8.8.8	0x8841	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:46.139307022 CEST	192.168.2.23	8.8.8.8	0xc902	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:48.738687992 CEST	192.168.2.23	8.8.8.8	0x2d47	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:49.787352085 CEST	192.168.2.23	8.8.8.8	0x3382	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:51.188376904 CEST	192.168.2.23	8.8.8.8	0xa55c	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:56.933408022 CEST	192.168.2.23	8.8.8.8	0xaa1f	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:00.237283945 CEST	192.168.2.23	8.8.8.8	0x4b70	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:00.987062931 CEST	192.168.2.23	8.8.8.8	0xbd5b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:04.063508034 CEST	192.168.2.23	8.8.8.8	0xe062	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:08.291137934 CEST	192.168.2.23	8.8.8.8	0x7193	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:13.409574986 CEST	192.168.2.23	8.8.8.8	0x78d2	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:17.357780933 CEST	192.168.2.23	8.8.8.8	0x1dbd	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:21.549640894 CEST	192.168.2.23	8.8.8.8	0x46d1	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:24.435219049 CEST	192.168.2.23	8.8.8.8	0x102	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:26.901320934 CEST	192.168.2.23	8.8.8.8	0xe40c	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:27.482821941 CEST	192.168.2.23	8.8.8.8	0x19e1	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:29.594454050 CEST	192.168.2.23	8.8.8.8	0x8660	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 6, 2022 06:38:58.033246040 CEST	8.8.8.8	192.168.2.23	0xc902	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:03.083034992 CEST	8.8.8.8	192.168.2.23	0xa55c	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:12.130494118 CEST	8.8.8.8	192.168.2.23	0x4b70	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:20.180969000 CEST	8.8.8.8	192.168.2.23	0x7193	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:28.229773045 CEST	8.8.8.8	192.168.2.23	0x1dbd	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:34.277985096 CEST	8.8.8.8	192.168.2.23	0x102	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:37.328144073 CEST	8.8.8.8	192.168.2.23	0x19e1	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:39.378031969 CEST	8.8.8.8	192.168.2.23	0x8660	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:44.428303003 CEST	8.8.8.8	192.168.2.23	0x3d48	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:47.476232052 CEST	8.8.8.8	192.168.2.23	0x1976	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:48.563440084 CEST	8.8.8.8	192.168.2.23	0x4e24	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:39:51.610304117 CEST	8.8.8.8	192.168.2.23	0x7b4d	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:01.656316996 CEST	8.8.8.8	192.168.2.23	0xaffb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:07.729549885 CEST	8.8.8.8	192.168.2.23	0x27c2	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:13.778358936 CEST	8.8.8.8	192.168.2.23	0xfaef	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:19.830240011 CEST	8.8.8.8	192.168.2.23	0xc2a0	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:24.915445089 CEST	8.8.8.8	192.168.2.23	0x7236	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:30.962285042 CEST	8.8.8.8	192.168.2.23	0x94f6	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:33.008429050 CEST	8.8.8.8	192.168.2.23	0x42d7	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:35.057518005 CEST	8.8.8.8	192.168.2.23	0xfef0	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:43.107075930 CEST	8.8.8.8	192.168.2.23	0x9ba	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:48.156894922 CEST	8.8.8.8	192.168.2.23	0x50cb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:54.205457926 CEST	8.8.8.8	192.168.2.23	0x1341	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:56.252594948 CEST	8.8.8.8	192.168.2.23	0xef77	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:40:57.308721066 CEST	8.8.8.8	192.168.2.23	0x1094	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:02.442663908 CEST	8.8.8.8	192.168.2.23	0xe0af	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:12.491463900 CEST	8.8.8.8	192.168.2.23	0xb651	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:19.539896011 CEST	8.8.8.8	192.168.2.23	0x5aa5	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:25.588309050 CEST	8.8.8.8	192.168.2.23	0xa4db	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:30.636569023 CEST	8.8.8.8	192.168.2.23	0xe260	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:39.695657969 CEST	8.8.8.8	192.168.2.23	0x8841	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:46.158691883 CEST	8.8.8.8	192.168.2.23	0xc902	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:48.758279085 CEST	8.8.8.8	192.168.2.23	0x2d47	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:49.804258108 CEST	8.8.8.8	192.168.2.23	0x3382	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:51.208085060 CEST	8.8.8.8	192.168.2.23	0xa55c	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:41:56.952830076 CEST	8.8.8.8	192.168.2.23	0xaa1f	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:00.256917953 CEST	8.8.8.8	192.168.2.23	0x4b70	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:01.006757975 CEST	8.8.8.8	192.168.2.23	0xbd5b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:04.080832958 CEST	8.8.8.8	192.168.2.23	0xe062	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:08.310482025 CEST	8.8.8.8	192.168.2.23	0x7193	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:13.428618908 CEST	8.8.8.8	192.168.2.23	0x78d2	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:17.375529051 CEST	8.8.8.8	192.168.2.23	0x1dbd	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:21.568782091 CEST	8.8.8.8	192.168.2.23	0x46d1	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:24.454607010 CEST	8.8.8.8	192.168.2.23	0x102	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:26.920907021 CEST	8.8.8.8	192.168.2.23	0xe40c	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:27.502365112 CEST	8.8.8.8	192.168.2.23	0x19e1	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:42:29.613771915 CEST	8.8.8.8	192.168.2.23	0x8660	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: LxfGfOr9r6 PID: 6228, Parent PID: 6125

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	/tmp/LxfGfOr9r6
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6230, Parent PID: 6228

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6231, Parent PID: 6228

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6232, Parent PID: 6228

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6234, Parent PID: 6228

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6239, Parent PID: 6234

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6328, Parent PID: 6239

General

Start time:	06:41:45
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: LxfGfOr9r6 PID: 6240, Parent PID: 6234

General

Start time:	06:38:57
Start date:	06/08/2022
Path:	/tmp/LxfGfOr9r6
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report LxfGfOr9r6

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: LxfGfOr9r6 PID: 6228, Parent PID: 6125

General

Analysis Process: LxfGfOr9r6 PID: 6230, Parent PID: 6228

General

Analysis Process: LxfGfOr9r6 PID: 6231, Parent PID: 6228

General

Analysis Process: LxfGfOr9r6 PID: 6232, Parent PID: 6228

General

Analysis Process: LxfGfOr9r6 PID: 6234, Parent PID: 6228

General

Analysis Process: LxfGfOr9r6 PID: 6239, Parent PID: 6234

General

Analysis Process: LxfGfOr9r6 PID: 6328, Parent PID: 6239

General

Analysis Process: LxfGfOr9r6 PID: 6240, Parent PID: 6234

General

Linux Analysis Report
LxfGfOr9r6