Edit tour

Linux Analysis Report
SSBFSIj3wk

Overview

General Information

Sample Name:	SSBFSIj3wk
Analysis ID:	679620
MD5:	1beaa289a2e5c583a8ade22549a87e45
SHA1:	7dcf5380b1d43e2fd3d15e32373edd635427229c
SHA256:	63992f68aa03ce566fb5d9cbab680a1c3e04ef381081b51f219461da771cba62
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Yara signature match

Sample has stripped symbol table

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Sample tries to kill a process (SIGKILL)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679620
Start date and time: 06/08/202206:47:13	2022-08-06 06:47:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SSBFSIj3wk
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.troj.lin@0/0@43/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/SSBFSIj3wk
PID:	6228
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

SSBFSIj3wk (PID: 6228, Parent: 6123, MD5: 1beaa289a2e5c583a8ade22549a87e45) Arguments: /tmp/SSBFSIj3wk

SSBFSIj3wk New Fork (PID: 6229, Parent: 6228)

SSBFSIj3wk New Fork (PID: 6230, Parent: 6228)

SSBFSIj3wk New Fork (PID: 6232, Parent: 6228)

SSBFSIj3wk New Fork (PID: 6233, Parent: 6228)

SSBFSIj3wk New Fork (PID: 6234, Parent: 6233)

SSBFSIj3wk New Fork (PID: 6318, Parent: 6234)

SSBFSIj3wk New Fork (PID: 6235, Parent: 6233)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SSBFSIj3wk	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
SSBFSIj3wk	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4c00:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3 0x4c50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
SSBFSIj3wk	Linux_Trojan_Mirai_24c5b7d6	unknown	unknown	0xad72:$a: 54 38 1C 80 FA 3E 74 25 80 FA 3A 74 20 80 FA 24 74 1B 80 FA 23
SSBFSIj3wk	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc722:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
SSBFSIj3wk	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0xd82:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
SSBFSIj3wk	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xe01d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
SSBFSIj3wk	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc6f2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6228.1.0000000008048000.000000000805c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6228.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4c00:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3 0x4c50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6228.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_24c5b7d6	unknown	unknown	0xad72:$a: 54 38 1C 80 FA 3E 74 25 80 FA 3A 74 20 80 FA 24 74 1B 80 FA 23
6228.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc722:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6228.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0xd82:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
6228.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xe01d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6228.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc6f2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6318.1.0000000008048000.000000000805c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6235.1.0000000008048000.000000000805c000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6318.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4c00:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3 0x4c50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6318.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_24c5b7d6	unknown	unknown	0xad72:$a: 54 38 1C 80 FA 3E 74 25 80 FA 3A 74 20 80 FA 24 74 1B 80 FA 23
6318.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc722:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6318.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0xd82:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
6318.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xe01d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6318.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc6f2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
6235.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x4c00:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3 0x4c50:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
6235.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_24c5b7d6	unknown	unknown	0xad72:$a: 54 38 1C 80 FA 3E 74 25 80 FA 3A 74 20 80 FA 24 74 1B 80 FA 23
6235.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0xc722:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
6235.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_ae9d0fa6	unknown	unknown	0xd82:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
6235.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xe01d:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
6235.1.0000000008048000.000000000805c000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0xc6f2:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 16 entries

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SSBFSIj3wk	Virustotal: Detection: 53%			Perma Link
Source: SSBFSIj3wk	ReversingLabs: Detection: 62%

Machine Learning detection for sample

Source: SSBFSIj3wk

Joe Sandbox ML: detected

Source: global traffic

TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55578
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 68.195.50.67
Source: unknown	TCP traffic detected without corresponding DNS query: 162.167.117.199
Source: unknown	TCP traffic detected without corresponding DNS query: 202.81.32.67
Source: unknown	TCP traffic detected without corresponding DNS query: 86.40.59.64
Source: unknown	TCP traffic detected without corresponding DNS query: 147.74.30.71
Source: unknown	TCP traffic detected without corresponding DNS query: 76.17.6.164
Source: unknown	TCP traffic detected without corresponding DNS query: 69.86.168.58
Source: unknown	TCP traffic detected without corresponding DNS query: 47.108.79.178
Source: unknown	TCP traffic detected without corresponding DNS query: 87.213.96.138
Source: unknown	TCP traffic detected without corresponding DNS query: 58.100.198.137
Source: unknown	TCP traffic detected without corresponding DNS query: 76.246.243.225
Source: unknown	TCP traffic detected without corresponding DNS query: 186.83.62.48
Source: unknown	TCP traffic detected without corresponding DNS query: 217.191.83.36
Source: unknown	TCP traffic detected without corresponding DNS query: 13.174.202.182
Source: unknown	TCP traffic detected without corresponding DNS query: 204.88.189.98
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.137.9
Source: unknown	TCP traffic detected without corresponding DNS query: 197.24.15.249
Source: unknown	TCP traffic detected without corresponding DNS query: 42.17.65.121
Source: unknown	TCP traffic detected without corresponding DNS query: 96.187.111.50
Source: unknown	TCP traffic detected without corresponding DNS query: 32.216.5.41
Source: unknown	TCP traffic detected without corresponding DNS query: 192.138.244.88
Source: unknown	TCP traffic detected without corresponding DNS query: 213.175.18.187
Source: unknown	TCP traffic detected without corresponding DNS query: 153.235.57.169
Source: unknown	TCP traffic detected without corresponding DNS query: 68.76.31.148
Source: unknown	TCP traffic detected without corresponding DNS query: 41.26.95.169
Source: unknown	TCP traffic detected without corresponding DNS query: 53.200.235.95
Source: unknown	TCP traffic detected without corresponding DNS query: 246.102.69.11
Source: unknown	TCP traffic detected without corresponding DNS query: 46.69.90.219
Source: unknown	TCP traffic detected without corresponding DNS query: 46.219.79.180
Source: unknown	TCP traffic detected without corresponding DNS query: 165.221.112.169
Source: unknown	TCP traffic detected without corresponding DNS query: 96.4.121.61
Source: unknown	TCP traffic detected without corresponding DNS query: 27.96.57.37
Source: unknown	TCP traffic detected without corresponding DNS query: 113.155.135.253
Source: unknown	TCP traffic detected without corresponding DNS query: 37.115.7.130
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.243.153
Source: unknown	TCP traffic detected without corresponding DNS query: 82.84.103.132
Source: unknown	TCP traffic detected without corresponding DNS query: 46.50.141.75
Source: unknown	TCP traffic detected without corresponding DNS query: 70.21.242.15
Source: unknown	TCP traffic detected without corresponding DNS query: 171.189.146.162
Source: unknown	TCP traffic detected without corresponding DNS query: 91.215.171.38
Source: unknown	TCP traffic detected without corresponding DNS query: 105.113.252.83
Source: unknown	TCP traffic detected without corresponding DNS query: 98.242.35.32
Source: unknown	TCP traffic detected without corresponding DNS query: 254.246.149.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.71.162.169
Source: unknown	TCP traffic detected without corresponding DNS query: 163.190.194.226
Source: unknown	TCP traffic detected without corresponding DNS query: 12.221.134.193
Source: unknown	TCP traffic detected without corresponding DNS query: 178.226.172.132
Source: unknown	TCP traffic detected without corresponding DNS query: 8.195.127.199
Source: unknown	TCP traffic detected without corresponding DNS query: 88.234.97.251

System Summary

Malicious sample detected (through community Yara rule)

Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_24c5b7d6 Author: unknown
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown

Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: SSBFSIj3wk, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_24c5b7d6 reference_sample = 7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3411b624f02dd1c7a0e663f1f119c8d5e47a81892bb7c445b7695c605b0b8ee2, id = 24c5b7d6-1aa8-4d8e-9983-c7234f57c3de, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/SSBFSIj3wk (PID: 6234)

SIGKILL sent: pid: 936, result: successful

Source: Initial sample	String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: Connected To CNCrootarm5arm6arm7oginsernamevrdvsccountenterasswordusyboxulti-callhelp$#~nvalidailedncorrecteniedrroroodbyebad: applet not found/var//dev//mnt//var/run//var/tmp//dev/netslink//dev/shm//bin//etc//boot//usr//sys/xc3511xmhdipcklv123hi3518jvbzd1234562wj9fsa2>%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t

Source: classification engine

Classification label: mal68.troj.lin@0/0@43/0

Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/6234/exe
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/491/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/793/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/772/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/796/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/774/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/797/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/777/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/799/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/658/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/912/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/759/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/936/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/918/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/1/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/761/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/785/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/884/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/720/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/721/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/788/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/789/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/800/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/801/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/847/fd
Source: /tmp/SSBFSIj3wk (PID: 6234)	File opened: /proc/904/fd

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: SSBFSIj3wk, type: SAMPLE
Source: Yara match	File source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: SSBFSIj3wk, type: SAMPLE
Source: Yara match	File source: 6228.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6318.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6235.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SSBFSIj3wk	54%	Virustotal		Browse
SSBFSIj3wk	62%	ReversingLabs	Linux.Trojan.Mirai
SSBFSIj3wk	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	12%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	46.23.109.40	true	true	12%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
44.103.235.54	unknown	United States	54869	ROCKCOM-COUS	false
83.32.29.72	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
218.134.63.159	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
240.153.133.162	unknown	Reserved	unknown	unknown	false
153.177.50.112	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
188.97.99.57	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
250.168.161.155	unknown	Reserved	unknown	unknown	false
163.208.145.140	unknown	Japan	7502	IP-KYOTOAdvancedSoftwareTechnologyManagementResearch	false
95.131.166.89	unknown	Spain	43402	CABLEMURCIA-ASES	false
156.147.203.4	unknown	Korea Republic of	4668	LGNET-AS-KRLGCNSKR	false
255.165.202.25	unknown	Reserved	unknown	unknown	false
63.167.147.153	unknown	United States	1239	SPRINTLINKUS	false
73.152.2.152	unknown	United States	7922	COMCAST-7922US	false
59.46.183.89	unknown	China	134762	CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali	false
73.184.255.191	unknown	United States	7922	COMCAST-7922US	false
207.252.205.231	unknown	United States	10844	VASTNETUS	false
57.81.243.103	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
37.87.36.218	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
95.205.71.207	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
200.231.73.25	unknown	Brazil	4230	CLAROSABR	false
241.184.140.21	unknown	Reserved	unknown	unknown	false
218.134.15.254	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
58.192.126.26	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
255.235.190.240	unknown	Reserved	unknown	unknown	false
143.0.247.198	unknown	Argentina	12150	COTELCAMAR	false
154.212.36.122	unknown	Seychelles	54600	PEGTECHINCUS	false
223.115.154.186	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
116.60.113.195	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
61.153.236.127	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
195.70.86.194	unknown	United Kingdom	5413	AS5413GB	false
203.139.210.85	unknown	Japan	7522	STCNSTNetIncorporatedJP	false
166.135.50.33	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
100.202.107.221	unknown	United States	21928	T-MOBILE-AS21928US	false
94.142.35.113	unknown	Jordan	48832	ZAIN-JO	false
157.5.26.205	unknown	unknown	7671	MCNETNTTSmartConnectCorporationJP	false
141.251.187.126	unknown	United States	137	ASGARRConsortiumGARREU	false
169.23.102.21	unknown	United States	37611	AfrihostZA	false
24.161.107.219	unknown	United States	12271	TWC-12271-NYCUS	false
37.160.127.180	unknown	France	51207	FREEMFR	false
91.203.191.63	unknown	Russian Federation	47133	PROSERVIS-ASRU	false
171.2.26.208	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
109.171.7.56	unknown	Russian Federation	15774	TTK-RTLRetailRU	false
75.140.122.162	unknown	United States	20115	CHARTER-20115US	false
254.230.35.232	unknown	Reserved	unknown	unknown	false
133.84.38.220	unknown	Japan	55904	KOGAKUIN-ASKOGAKUINUniversityJP	false
88.7.59.13	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
172.185.86.22	unknown	United States	7018	ATT-INTERNET4US	false
164.57.104.9	unknown	United States	4583	WESTPUB-AUS	false
216.112.242.9	unknown	United States	16908	ATRGNJ01US	false
17.18.116.47	unknown	United States	714	APPLE-ENGINEERINGUS	false
192.90.239.37	unknown	United States	6	BULL-HNUS	false
101.192.60.126	unknown	China	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
108.163.30.102	unknown	United States	394855	STRATUS-VIDEOUS	false
27.231.45.60	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
209.164.3.242	unknown	United States	20021	LNH-INCUS	false
123.50.17.4	unknown	Japan	10013	FBDCFreeBitCoLtdJP	false
14.71.104.161	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
113.243.219.18	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
40.48.11.142	unknown	United States	4249	LILLY-ASUS	false
241.67.85.216	unknown	Reserved	unknown	unknown	false
208.239.240.221	unknown	United States	13768	COGECO-PEER1CA	false
113.109.71.70	unknown	China	4816	CHINANET-IDC-GDChinaTelecomGroupCN	false
183.155.198.11	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
148.9.92.66	unknown	United States	3745	NTTDATA-SERVICES-AS2US	false
253.171.215.12	unknown	Reserved	unknown	unknown	false
70.155.118.151	unknown	United States	7018	ATT-INTERNET4US	false
68.167.229.184	unknown	United States	18566	MEGAPATH5-US	false
171.6.150.42	unknown	Thailand	45758	TRIPLETNET-AS-APTripleTInternetTripleTBroadbandTH	false
168.171.222.80	unknown	United States	26675	REGIONIVESCUS	false
195.35.225.223	unknown	Netherlands	33915	TNF-ASNL	false
186.18.44.202	unknown	Argentina	27747	TelecentroSAAR	false
60.23.236.124	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
190.169.220.210	unknown	Venezuela	19192	UniversidadCentraldeVenezuelaVE	false
37.64.35.82	unknown	France	15557	LDCOMNETFR	false
167.70.229.253	unknown	United States	4583	WESTPUB-AUS	false
117.255.236.170	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
46.93.33.38	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
241.150.197.74	unknown	Reserved	unknown	unknown	false
85.131.188.72	unknown	Germany	34309	LINK11Link11GmbHDE	false
160.24.168.80	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
32.72.230.211	unknown	United States	2686	ATGS-MMD-ASUS	false
244.10.65.196	unknown	Reserved	unknown	unknown	false
102.57.17.177	unknown	Egypt	36992	ETISALAT-MISREG	false
185.141.123.213	unknown	Germany	204877	DE-KUPPERDE	false
130.186.232.206	unknown	Italy	8612	TISCALI-IT	false
253.105.21.80	unknown	Reserved	unknown	unknown	false
149.142.140.161	unknown	United States	52	UCLAUS	false
187.132.216.121	unknown	Mexico	8151	UninetSAdeCVMX	false
145.176.119.1	unknown	Netherlands	59524	KPN-IAASNL	false
205.237.29.21	unknown	Canada	54783	AS-CSDUROYCA	false
126.26.13.179	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
34.227.215.61	unknown	United States	14618	AMAZON-AESUS	false
107.101.195.20	unknown	United States	7018	ATT-INTERNET4US	false
65.62.1.156	unknown	United States	32475	SINGLEHOP-LLCUS	false
5.161.109.193	unknown	Germany	24940	HETZNER-ASDE	false
152.45.146.132	unknown	United States	81	NCRENUS	false
130.237.37.142	unknown	Sweden	1653	SUNETSUNETSwedishUniversityNetworkEU	false
4.19.51.100	unknown	United States	3356	LEVEL3US	false
115.17.11.183	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
205.215.136.177	unknown	United States	26638	MPLS-PUBLIC-SCHOOLSUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.567228487380409
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	SSBFSIj3wk
File size:	81424
MD5:	1beaa289a2e5c583a8ade22549a87e45
SHA1:	7dcf5380b1d43e2fd3d15e32373edd635427229c
SHA256:	63992f68aa03ce566fb5d9cbab680a1c3e04ef381081b51f219461da771cba62
SHA512:	cd326a02bb78fead685b918fb0b3971eb3bbef184683991d3a34c51cbe5c22033d948f24b78debfe5eb9f200ad4c5a1757da75bc07bff13f0d075cb692ef2774
SSDEEP:	1536:nZg6Iau23kSyBep6OAfgeSvxfbVmYjztrJ//euxUqT4pffSYrJYJa:Vl3H+ep6OAfge2xfbVm8Brp/7x1cfXVj
TLSH:	64835DC1A5C2E8F5DC11057930BBA7326A37F03A6079EEDBE3D9A633A851601661339D
File Content Preview:	.ELF....................d...4....<......4. ...(......................5...5...............5..............`6..........Q.td............................U..S.......7E...h........[]...$.............U......=@....t..5...................u........t....h............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048164
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	81024
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8048094	0x94	0x1c	0x0	0x6	AX	1
.text	PROGBITS	0x80480b0	0xb0	0x111d6	0x0	0x6	AX	16
.fini	PROGBITS	0x8059286	0x11286	0x17	0x0	0x6	AX	1
.rodata	PROGBITS	0x80592a0	0x112a0	0x231c	0x0	0x2	A	32
.ctors	PROGBITS	0x805c5c0	0x135c0	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x805c5c8	0x135c8	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x805c5e0	0x135e0	0x660	0x0	0x3	WA	32
.bss	NOBITS	0x805cc40	0x13c40	0x2fe0	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x13c40	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x135bc	0x135bc	6.5878	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x135c0	0x805c5c0	0x805c5c0	0x680	0x3660	4.6942	0x6	RW	0x1000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 06:47:59.111807108 CEST	52869	61404	80.81.219.28	192.168.2.23
Aug 6, 2022 06:47:59.993693113 CEST	42836	443	192.168.2.23	91.189.91.43
Aug 6, 2022 06:48:00.068818092 CEST	25964	23	192.168.2.23	68.195.50.67
Aug 6, 2022 06:48:00.068830013 CEST	25964	23	192.168.2.23	162.167.117.199
Aug 6, 2022 06:48:00.068901062 CEST	25964	23	192.168.2.23	202.81.32.67
Aug 6, 2022 06:48:00.068905115 CEST	25964	23	192.168.2.23	86.40.59.64
Aug 6, 2022 06:48:00.068917036 CEST	25964	23	192.168.2.23	147.74.30.71
Aug 6, 2022 06:48:00.069096088 CEST	25964	23	192.168.2.23	76.17.6.164
Aug 6, 2022 06:48:00.069101095 CEST	25964	23	192.168.2.23	69.86.168.58
Aug 6, 2022 06:48:00.069104910 CEST	25964	23	192.168.2.23	47.108.79.178
Aug 6, 2022 06:48:00.069125891 CEST	25964	23	192.168.2.23	87.213.96.138
Aug 6, 2022 06:48:00.069132090 CEST	25964	23	192.168.2.23	58.100.198.137
Aug 6, 2022 06:48:00.069164038 CEST	25964	23	192.168.2.23	76.246.243.225
Aug 6, 2022 06:48:00.069170952 CEST	25964	23	192.168.2.23	186.83.62.48
Aug 6, 2022 06:48:00.069170952 CEST	25964	23	192.168.2.23	217.191.83.36
Aug 6, 2022 06:48:00.069173098 CEST	25964	23	192.168.2.23	13.174.202.182
Aug 6, 2022 06:48:00.069176912 CEST	25964	23	192.168.2.23	204.88.189.98
Aug 6, 2022 06:48:00.069205999 CEST	25964	23	192.168.2.23	107.173.137.9
Aug 6, 2022 06:48:00.069214106 CEST	25964	23	192.168.2.23	197.24.15.249
Aug 6, 2022 06:48:00.069215059 CEST	25964	23	192.168.2.23	42.17.65.121
Aug 6, 2022 06:48:00.069220066 CEST	25964	23	192.168.2.23	96.187.111.50
Aug 6, 2022 06:48:00.069233894 CEST	25964	23	192.168.2.23	32.216.5.41
Aug 6, 2022 06:48:00.069242001 CEST	25964	23	192.168.2.23	192.138.244.88
Aug 6, 2022 06:48:00.069247007 CEST	25964	23	192.168.2.23	213.175.18.187
Aug 6, 2022 06:48:00.069248915 CEST	25964	23	192.168.2.23	153.235.57.169
Aug 6, 2022 06:48:00.069267988 CEST	25964	23	192.168.2.23	68.76.31.148
Aug 6, 2022 06:48:00.071537018 CEST	25964	23	192.168.2.23	41.26.95.169
Aug 6, 2022 06:48:00.071556091 CEST	25964	23	192.168.2.23	53.200.235.95
Aug 6, 2022 06:48:00.071568012 CEST	25964	23	192.168.2.23	246.102.69.11
Aug 6, 2022 06:48:00.071568966 CEST	25964	23	192.168.2.23	24.227.110.35
Aug 6, 2022 06:48:00.071579933 CEST	25964	23	192.168.2.23	46.69.90.219
Aug 6, 2022 06:48:00.071598053 CEST	25964	23	192.168.2.23	46.219.79.180
Aug 6, 2022 06:48:00.071608067 CEST	25964	23	192.168.2.23	165.221.112.169
Aug 6, 2022 06:48:00.071614981 CEST	25964	23	192.168.2.23	96.4.121.61
Aug 6, 2022 06:48:00.071625948 CEST	25964	23	192.168.2.23	27.96.57.37
Aug 6, 2022 06:48:00.071631908 CEST	25964	23	192.168.2.23	113.155.135.253
Aug 6, 2022 06:48:00.071638107 CEST	25964	23	192.168.2.23	37.115.7.130
Aug 6, 2022 06:48:00.071645021 CEST	25964	23	192.168.2.23	156.254.243.153
Aug 6, 2022 06:48:00.071646929 CEST	25964	23	192.168.2.23	82.84.103.132
Aug 6, 2022 06:48:00.071654081 CEST	25964	23	192.168.2.23	46.50.141.75
Aug 6, 2022 06:48:00.071659088 CEST	25964	23	192.168.2.23	70.21.242.15
Aug 6, 2022 06:48:00.071665049 CEST	25964	23	192.168.2.23	171.189.146.162
Aug 6, 2022 06:48:00.071672916 CEST	25964	23	192.168.2.23	91.215.171.38
Aug 6, 2022 06:48:00.071676016 CEST	25964	23	192.168.2.23	105.113.252.83
Aug 6, 2022 06:48:00.071681023 CEST	25964	23	192.168.2.23	98.242.35.32
Aug 6, 2022 06:48:00.071692944 CEST	25964	23	192.168.2.23	254.246.149.1
Aug 6, 2022 06:48:00.071700096 CEST	25964	23	192.168.2.23	98.71.162.169
Aug 6, 2022 06:48:00.072156906 CEST	25964	23	192.168.2.23	163.190.194.226
Aug 6, 2022 06:48:00.072164059 CEST	25964	23	192.168.2.23	12.221.134.193
Aug 6, 2022 06:48:00.072170973 CEST	25964	23	192.168.2.23	178.226.172.132
Aug 6, 2022 06:48:00.072184086 CEST	25964	23	192.168.2.23	8.195.127.199
Aug 6, 2022 06:48:00.072192907 CEST	25964	23	192.168.2.23	88.234.97.251
Aug 6, 2022 06:48:00.072194099 CEST	25964	23	192.168.2.23	219.105.121.50
Aug 6, 2022 06:48:00.072196960 CEST	25964	23	192.168.2.23	176.255.111.68
Aug 6, 2022 06:48:00.072196960 CEST	25964	23	192.168.2.23	107.44.168.244
Aug 6, 2022 06:48:00.072204113 CEST	25964	23	192.168.2.23	111.1.39.77
Aug 6, 2022 06:48:00.072225094 CEST	25964	23	192.168.2.23	88.7.24.53
Aug 6, 2022 06:48:00.072236061 CEST	25964	23	192.168.2.23	179.119.231.4
Aug 6, 2022 06:48:00.072263956 CEST	25964	23	192.168.2.23	157.128.231.78
Aug 6, 2022 06:48:00.072705030 CEST	25964	23	192.168.2.23	44.47.128.132
Aug 6, 2022 06:48:00.072814941 CEST	25964	23	192.168.2.23	192.49.51.216
Aug 6, 2022 06:48:00.072824955 CEST	25964	23	192.168.2.23	120.155.13.97
Aug 6, 2022 06:48:00.072833061 CEST	25964	23	192.168.2.23	69.87.57.91
Aug 6, 2022 06:48:00.072833061 CEST	25964	23	192.168.2.23	216.179.114.59
Aug 6, 2022 06:48:00.073185921 CEST	25964	23	192.168.2.23	48.243.86.158
Aug 6, 2022 06:48:00.073194027 CEST	25964	23	192.168.2.23	31.67.3.79
Aug 6, 2022 06:48:00.073194981 CEST	25964	23	192.168.2.23	41.200.101.239
Aug 6, 2022 06:48:00.073196888 CEST	25964	23	192.168.2.23	174.15.29.243
Aug 6, 2022 06:48:00.073224068 CEST	25964	23	192.168.2.23	67.215.249.73
Aug 6, 2022 06:48:00.073302031 CEST	25964	23	192.168.2.23	125.99.195.108
Aug 6, 2022 06:48:00.073307037 CEST	25964	23	192.168.2.23	245.230.168.207
Aug 6, 2022 06:48:00.073328018 CEST	25964	23	192.168.2.23	27.102.81.175
Aug 6, 2022 06:48:00.073343039 CEST	25964	23	192.168.2.23	212.47.217.222
Aug 6, 2022 06:48:00.073350906 CEST	25964	23	192.168.2.23	73.159.194.98
Aug 6, 2022 06:48:00.073354959 CEST	25964	23	192.168.2.23	170.193.208.67
Aug 6, 2022 06:48:00.073362112 CEST	25964	23	192.168.2.23	86.139.85.152
Aug 6, 2022 06:48:00.073381901 CEST	25964	23	192.168.2.23	167.222.128.51
Aug 6, 2022 06:48:00.073384047 CEST	25964	23	192.168.2.23	193.158.108.82
Aug 6, 2022 06:48:00.073385000 CEST	25964	23	192.168.2.23	196.200.181.73
Aug 6, 2022 06:48:00.073395014 CEST	25964	23	192.168.2.23	69.185.216.116
Aug 6, 2022 06:48:00.073395967 CEST	25964	23	192.168.2.23	118.252.210.217
Aug 6, 2022 06:48:00.073985100 CEST	25964	23	192.168.2.23	128.25.150.123
Aug 6, 2022 06:48:00.073986053 CEST	25964	23	192.168.2.23	218.11.152.206
Aug 6, 2022 06:48:00.073991060 CEST	25964	23	192.168.2.23	95.191.246.45
Aug 6, 2022 06:48:00.074023962 CEST	25964	23	192.168.2.23	24.17.239.195
Aug 6, 2022 06:48:00.074034929 CEST	25964	23	192.168.2.23	149.241.186.119
Aug 6, 2022 06:48:00.074045897 CEST	25964	23	192.168.2.23	106.76.19.86
Aug 6, 2022 06:48:00.074074984 CEST	25964	23	192.168.2.23	43.2.87.111
Aug 6, 2022 06:48:00.074076891 CEST	25964	23	192.168.2.23	80.150.90.124
Aug 6, 2022 06:48:00.074084044 CEST	25964	23	192.168.2.23	70.145.161.155
Aug 6, 2022 06:48:00.074094057 CEST	25964	23	192.168.2.23	170.150.152.209
Aug 6, 2022 06:48:00.074110031 CEST	25964	23	192.168.2.23	76.201.247.242
Aug 6, 2022 06:48:00.074111938 CEST	25964	23	192.168.2.23	140.213.161.150
Aug 6, 2022 06:48:00.074119091 CEST	25964	23	192.168.2.23	44.251.174.96
Aug 6, 2022 06:48:00.074119091 CEST	25964	23	192.168.2.23	173.118.82.67
Aug 6, 2022 06:48:00.074132919 CEST	25964	23	192.168.2.23	149.218.61.48
Aug 6, 2022 06:48:00.074136972 CEST	25964	23	192.168.2.23	18.162.223.82
Aug 6, 2022 06:48:00.074137926 CEST	25964	23	192.168.2.23	90.72.237.128
Aug 6, 2022 06:48:00.074141026 CEST	25964	23	192.168.2.23	207.214.91.62
Aug 6, 2022 06:48:00.074157000 CEST	25964	23	192.168.2.23	13.193.87.81

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2022 06:48:00.078311920 CEST	192.168.2.23	8.8.8.8	0xbef5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:09.125917912 CEST	192.168.2.23	8.8.8.8	0xb374	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:14.174034119 CEST	192.168.2.23	8.8.8.8	0xb599	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:23.269795895 CEST	192.168.2.23	8.8.8.8	0xd3f8	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:33.403332949 CEST	192.168.2.23	8.8.8.8	0xa115	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:42.453854084 CEST	192.168.2.23	8.8.8.8	0x9cfb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:50.507410049 CEST	192.168.2.23	8.8.8.8	0xd8b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:00.754700899 CEST	192.168.2.23	8.8.8.8	0x90cb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:10.802896023 CEST	192.168.2.23	8.8.8.8	0x5ddc	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:18.872000933 CEST	192.168.2.23	8.8.8.8	0x6748	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:25.919867039 CEST	192.168.2.23	8.8.8.8	0x8b89	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:35.002190113 CEST	192.168.2.23	8.8.8.8	0x7398	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:43.050901890 CEST	192.168.2.23	8.8.8.8	0xaf6b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:44.109100103 CEST	192.168.2.23	8.8.8.8	0x7229	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:50.156644106 CEST	192.168.2.23	8.8.8.8	0xbd75	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:57.205142975 CEST	192.168.2.23	8.8.8.8	0xdd9a	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:01.251140118 CEST	192.168.2.23	8.8.8.8	0x9539	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:08.296968937 CEST	192.168.2.23	8.8.8.8	0x711e	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:11.342570066 CEST	192.168.2.23	8.8.8.8	0xc154	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:16.390641928 CEST	192.168.2.23	8.8.8.8	0x4f29	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:22.456301928 CEST	192.168.2.23	8.8.8.8	0xe9da	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:23.504879951 CEST	192.168.2.23	8.8.8.8	0x5e1f	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:28.553596020 CEST	192.168.2.23	8.8.8.8	0xdddb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:30.601393938 CEST	192.168.2.23	8.8.8.8	0xf2fc	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:37.649391890 CEST	192.168.2.23	8.8.8.8	0xf868	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:42.730268002 CEST	192.168.2.23	8.8.8.8	0x5b52	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:46.605715036 CEST	192.168.2.23	8.8.8.8	0xbef5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:46.783771038 CEST	192.168.2.23	8.8.8.8	0xc95	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:48.832328081 CEST	192.168.2.23	8.8.8.8	0x9301	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:50.911737919 CEST	192.168.2.23	8.8.8.8	0xe050	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:55.653640032 CEST	192.168.2.23	8.8.8.8	0xb374	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:56.973839045 CEST	192.168.2.23	8.8.8.8	0xa839	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:00.701004028 CEST	192.168.2.23	8.8.8.8	0xb599	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:03.053056955 CEST	192.168.2.23	8.8.8.8	0xd8ef	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:04.104366064 CEST	192.168.2.23	8.8.8.8	0x6c88	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:06.748928070 CEST	192.168.2.23	8.8.8.8	0xd3f8	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:12.157315969 CEST	192.168.2.23	8.8.8.8	0xa5b6	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:16.796652079 CEST	192.168.2.23	8.8.8.8	0xa115	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:22.213680029 CEST	192.168.2.23	8.8.8.8	0xb43a	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:24.899380922 CEST	192.168.2.23	8.8.8.8	0x9cfb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:30.260056973 CEST	192.168.2.23	8.8.8.8	0x84b3	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:31.947463989 CEST	192.168.2.23	8.8.8.8	0xd8b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:32.306253910 CEST	192.168.2.23	8.8.8.8	0x11ce	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 6, 2022 06:48:00.095745087 CEST	8.8.8.8	192.168.2.23	0xbef5	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:09.145636082 CEST	8.8.8.8	192.168.2.23	0xb374	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:14.200782061 CEST	8.8.8.8	192.168.2.23	0xb599	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:23.289823055 CEST	8.8.8.8	192.168.2.23	0xd3f8	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:33.423337936 CEST	8.8.8.8	192.168.2.23	0xa115	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:42.471218109 CEST	8.8.8.8	192.168.2.23	0x9cfb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:48:50.527005911 CEST	8.8.8.8	192.168.2.23	0xd8b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:00.774195910 CEST	8.8.8.8	192.168.2.23	0x90cb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:10.822261095 CEST	8.8.8.8	192.168.2.23	0x5ddc	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:18.891434908 CEST	8.8.8.8	192.168.2.23	0x6748	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:25.940848112 CEST	8.8.8.8	192.168.2.23	0x8b89	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:35.022111893 CEST	8.8.8.8	192.168.2.23	0x7398	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:43.079803944 CEST	8.8.8.8	192.168.2.23	0xaf6b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:44.128092051 CEST	8.8.8.8	192.168.2.23	0x7229	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:50.173712015 CEST	8.8.8.8	192.168.2.23	0xbd75	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:49:57.222553968 CEST	8.8.8.8	192.168.2.23	0xdd9a	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:01.268518925 CEST	8.8.8.8	192.168.2.23	0x9539	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:08.313884974 CEST	8.8.8.8	192.168.2.23	0x711e	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:11.361749887 CEST	8.8.8.8	192.168.2.23	0xc154	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:16.409389019 CEST	8.8.8.8	192.168.2.23	0x4f29	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:22.475939035 CEST	8.8.8.8	192.168.2.23	0xe9da	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:23.524410963 CEST	8.8.8.8	192.168.2.23	0x5e1f	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:28.572948933 CEST	8.8.8.8	192.168.2.23	0xdddb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:30.619324923 CEST	8.8.8.8	192.168.2.23	0xf2fc	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:37.668998957 CEST	8.8.8.8	192.168.2.23	0xf868	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:42.749850035 CEST	8.8.8.8	192.168.2.23	0x5b52	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:46.624937057 CEST	8.8.8.8	192.168.2.23	0xbef5	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:46.803086042 CEST	8.8.8.8	192.168.2.23	0xc95	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:48.861555099 CEST	8.8.8.8	192.168.2.23	0x9301	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:50.929491043 CEST	8.8.8.8	192.168.2.23	0xe050	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:55.671456099 CEST	8.8.8.8	192.168.2.23	0xb374	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:50:56.992954969 CEST	8.8.8.8	192.168.2.23	0xa839	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:00.720555067 CEST	8.8.8.8	192.168.2.23	0xb599	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:03.072695971 CEST	8.8.8.8	192.168.2.23	0xd8ef	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:04.123748064 CEST	8.8.8.8	192.168.2.23	0x6c88	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:06.768574953 CEST	8.8.8.8	192.168.2.23	0xd3f8	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:12.176244974 CEST	8.8.8.8	192.168.2.23	0xa5b6	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:16.815886974 CEST	8.8.8.8	192.168.2.23	0xa115	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:22.231204987 CEST	8.8.8.8	192.168.2.23	0xb43a	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:24.918699026 CEST	8.8.8.8	192.168.2.23	0x9cfb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:30.277465105 CEST	8.8.8.8	192.168.2.23	0x84b3	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:31.966412067 CEST	8.8.8.8	192.168.2.23	0xd8b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 06:51:32.323992014 CEST	8.8.8.8	192.168.2.23	0x11ce	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: SSBFSIj3wk PID: 6228, Parent PID: 6123

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	/tmp/SSBFSIj3wk
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6229, Parent PID: 6228

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6230, Parent PID: 6228

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6232, Parent PID: 6228

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6233, Parent PID: 6228

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6234, Parent PID: 6233

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6318, Parent PID: 6234

General

Start time:	06:50:46
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Analysis Process: SSBFSIj3wk PID: 6235, Parent PID: 6233

General

Start time:	06:47:59
Start date:	06/08/2022
Path:	/tmp/SSBFSIj3wk
Arguments:	n/a
File size:	81424 bytes
MD5 hash:	1beaa289a2e5c583a8ade22549a87e45

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SSBFSIj3wk

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: SSBFSIj3wk PID: 6228, Parent PID: 6123

General

Analysis Process: SSBFSIj3wk PID: 6229, Parent PID: 6228

General

Analysis Process: SSBFSIj3wk PID: 6230, Parent PID: 6228

General

Analysis Process: SSBFSIj3wk PID: 6232, Parent PID: 6228

General

Analysis Process: SSBFSIj3wk PID: 6233, Parent PID: 6228

General

Analysis Process: SSBFSIj3wk PID: 6234, Parent PID: 6233

General

Analysis Process: SSBFSIj3wk PID: 6318, Parent PID: 6234

General

Analysis Process: SSBFSIj3wk PID: 6235, Parent PID: 6233

General

Linux Analysis Report
SSBFSIj3wk