Edit tour

Linux Analysis Report
dNLKZA6IVs

Overview

General Information

Sample Name:	dNLKZA6IVs
Analysis ID:	679625
MD5:	407a38109a75cc3a5845952e359e2255
SHA1:	d75de51babdf08188f91d4e854160349e5c0185e
SHA256:	6874279cf48edce8cef28cce5c397462f5eadad07887dfabfb8caccf5899c436
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679625
Start date and time: 06/08/202207:00:30	2022-08-06 07:00:30 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	dNLKZA6IVs
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.troj.lin@0/0@46/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/dNLKZA6IVs
PID:	6231
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

dNLKZA6IVs (PID: 6231, Parent: 6125, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/dNLKZA6IVs

dNLKZA6IVs New Fork (PID: 6233, Parent: 6231)

dNLKZA6IVs New Fork (PID: 6234, Parent: 6231)

dNLKZA6IVs New Fork (PID: 6235, Parent: 6231)

dNLKZA6IVs New Fork (PID: 6238, Parent: 6231)

dNLKZA6IVs New Fork (PID: 6242, Parent: 6238)

dNLKZA6IVs New Fork (PID: 6329, Parent: 6242)

dNLKZA6IVs New Fork (PID: 6243, Parent: 6238)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
dNLKZA6IVs	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6329.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6231.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6243.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dNLKZA6IVs

Avira: detected

Multi AV Scanner detection for submitted file

Source: dNLKZA6IVs	Virustotal: Detection: 43%	Perma Link
Source: dNLKZA6IVs	Metadefender: Detection: 34%	Perma Link
Source: dNLKZA6IVs	ReversingLabs: Detection: 73%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43854
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43864
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43900

Source: global traffic	TCP traffic: 192.168.2.23:52808 -> 105.110.101.85:7547
Source: global traffic	TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312
Source: global traffic	TCP traffic: 192.168.2.23:41062 -> 160.177.155.129:7547

Source: /tmp/dNLKZA6IVs (PID: 6231)	Socket: 127.0.0.1::1312
Source: /tmp/dNLKZA6IVs (PID: 6242)	Socket: 0.0.0.0::0
Source: /tmp/dNLKZA6IVs (PID: 6242)	Socket: 0.0.0.0::53413
Source: /tmp/dNLKZA6IVs (PID: 6242)	Socket: 0.0.0.0::80
Source: /tmp/dNLKZA6IVs (PID: 6242)	Socket: 0.0.0.0::37215

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33186
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 202.183.87.80
Source: unknown	TCP traffic detected without corresponding DNS query: 36.42.218.83
Source: unknown	TCP traffic detected without corresponding DNS query: 194.196.235.203
Source: unknown	TCP traffic detected without corresponding DNS query: 13.73.112.158
Source: unknown	TCP traffic detected without corresponding DNS query: 150.164.107.187
Source: unknown	TCP traffic detected without corresponding DNS query: 216.199.69.80
Source: unknown	TCP traffic detected without corresponding DNS query: 173.207.17.142
Source: unknown	TCP traffic detected without corresponding DNS query: 213.127.78.7
Source: unknown	TCP traffic detected without corresponding DNS query: 203.182.69.185
Source: unknown	TCP traffic detected without corresponding DNS query: 205.173.56.210
Source: unknown	TCP traffic detected without corresponding DNS query: 85.228.242.238
Source: unknown	TCP traffic detected without corresponding DNS query: 1.74.17.104
Source: unknown	TCP traffic detected without corresponding DNS query: 249.5.201.220
Source: unknown	TCP traffic detected without corresponding DNS query: 177.139.176.115
Source: unknown	TCP traffic detected without corresponding DNS query: 124.42.216.148
Source: unknown	TCP traffic detected without corresponding DNS query: 58.28.185.231
Source: unknown	TCP traffic detected without corresponding DNS query: 106.155.249.145
Source: unknown	TCP traffic detected without corresponding DNS query: 158.216.238.194
Source: unknown	TCP traffic detected without corresponding DNS query: 250.119.196.96
Source: unknown	TCP traffic detected without corresponding DNS query: 141.250.43.84
Source: unknown	TCP traffic detected without corresponding DNS query: 198.17.151.16
Source: unknown	TCP traffic detected without corresponding DNS query: 125.125.170.224
Source: unknown	TCP traffic detected without corresponding DNS query: 136.235.223.149
Source: unknown	TCP traffic detected without corresponding DNS query: 160.227.81.22
Source: unknown	TCP traffic detected without corresponding DNS query: 156.87.251.190
Source: unknown	TCP traffic detected without corresponding DNS query: 87.127.18.159
Source: unknown	TCP traffic detected without corresponding DNS query: 35.49.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 255.92.209.243
Source: unknown	TCP traffic detected without corresponding DNS query: 192.232.208.136
Source: unknown	TCP traffic detected without corresponding DNS query: 31.100.170.253
Source: unknown	TCP traffic detected without corresponding DNS query: 185.17.188.238
Source: unknown	TCP traffic detected without corresponding DNS query: 89.194.161.18
Source: unknown	TCP traffic detected without corresponding DNS query: 86.246.249.152
Source: unknown	TCP traffic detected without corresponding DNS query: 164.133.121.43
Source: unknown	TCP traffic detected without corresponding DNS query: 91.156.255.156
Source: unknown	TCP traffic detected without corresponding DNS query: 153.12.230.92
Source: unknown	TCP traffic detected without corresponding DNS query: 5.41.66.217
Source: unknown	TCP traffic detected without corresponding DNS query: 211.27.62.93
Source: unknown	TCP traffic detected without corresponding DNS query: 155.33.13.129
Source: unknown	TCP traffic detected without corresponding DNS query: 243.162.254.159
Source: unknown	TCP traffic detected without corresponding DNS query: 92.118.213.235
Source: unknown	TCP traffic detected without corresponding DNS query: 240.121.246.82
Source: unknown	TCP traffic detected without corresponding DNS query: 196.137.131.205
Source: unknown	TCP traffic detected without corresponding DNS query: 246.162.150.3
Source: unknown	TCP traffic detected without corresponding DNS query: 151.130.194.29
Source: unknown	TCP traffic detected without corresponding DNS query: 207.80.114.120
Source: unknown	TCP traffic detected without corresponding DNS query: 17.254.113.95
Source: unknown	TCP traffic detected without corresponding DNS query: 78.160.7.163
Source: unknown	TCP traffic detected without corresponding DNS query: 90.27.52.240
Source: unknown	TCP traffic detected without corresponding DNS query: 42.119.61.176

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/dNLKZA6IVs (PID: 6242)

SIGKILL sent: pid: 936, result: successful

Source: Initial sample	String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'

Source: classification engine

Classification label: mal76.troj.lin@0/0@46/0

Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/491/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/793/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/772/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/796/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/774/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/797/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/777/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/799/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/658/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/912/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/759/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/936/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/918/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/1/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/761/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/785/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/884/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/720/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/721/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/788/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/789/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/800/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/801/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/847/fd
Source: /tmp/dNLKZA6IVs (PID: 6242)	File opened: /proc/904/fd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43854
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43864
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 43900

Source: /tmp/dNLKZA6IVs (PID: 6231)

Queries kernel information via 'uname':

Source: dNLKZA6IVs, 6231.1.000055d649b2a000.000055d649c58000.rw-.sdmp, dNLKZA6IVs, 6329.1.000055d649b2a000.000055d649c58000.rw-.sdmp, dNLKZA6IVs, 6243.1.000055d649b2a000.000055d649c58000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: dNLKZA6IVs, 6231.1.00007ffce2172000.00007ffce2193000.rw-.sdmp, dNLKZA6IVs, 6329.1.00007ffce2172000.00007ffce2193000.rw-.sdmp, dNLKZA6IVs, 6243.1.00007ffce2172000.00007ffce2193000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/dNLKZA6IVsSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/dNLKZA6IVs
Source: dNLKZA6IVs, 6231.1.000055d649b2a000.000055d649c58000.rw-.sdmp, dNLKZA6IVs, 6329.1.000055d649b2a000.000055d649c58000.rw-.sdmp, dNLKZA6IVs, 6243.1.000055d649b2a000.000055d649c58000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: dNLKZA6IVs, 6231.1.00007ffce2172000.00007ffce2193000.rw-.sdmp, dNLKZA6IVs, 6329.1.00007ffce2172000.00007ffce2193000.rw-.sdmp, dNLKZA6IVs, 6243.1.00007ffce2172000.00007ffce2193000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: dNLKZA6IVs, type: SAMPLE
Source: Yara match	File source: 6329.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6231.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6243.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: dNLKZA6IVs, type: SAMPLE
Source: Yara match	File source: 6329.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6231.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6243.1.00007f5c4c017000.00007f5c4c02e000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dNLKZA6IVs	44%	Virustotal		Browse
dNLKZA6IVs	34%	Metadefender		Browse
dNLKZA6IVs	73%	ReversingLabs	Linux.Trojan.Mirai
dNLKZA6IVs	100%	Avira	LINUX/Mirai.krmnq

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	12%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	46.23.109.40	true	true	12%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
140.245.130.189	unknown	United States	22488	CENGAGE-NYALBUS	false
179.99.190.111	unknown	Brazil	27699	TELEFONICABRASILSABR	false
160.177.155.129	unknown	Morocco	36903	MT-MPLSMA	false
163.39.57.194	unknown	United States	1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	false
252.34.227.164	unknown	Reserved	unknown	unknown	false
116.100.223.37	unknown	Viet Nam	24086	VIETTEL-AS-VNViettelCorporationVN	false
157.117.193.135	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
147.196.107.48	unknown	France	2527	SO-NETSo-netEntertainmentCorporationJP	false
115.21.18.96	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
71.56.55.19	unknown	United States	7922	COMCAST-7922US	false
187.188.56.79	unknown	Mexico	22884	TOTALPLAYTELECOMUNICACIONESSADECVMX	false
42.25.215.245	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
104.156.153.64	unknown	United States	32391	SRCACCESSUS	false
95.106.170.150	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
84.35.150.57	unknown	Netherlands	21221	INFOPACT-ASTheNetherlandsNL	false
40.220.55.208	unknown	United States	4249	LILLY-ASUS	false
124.207.149.250	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
125.193.114.56	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
253.132.90.144	unknown	Reserved	unknown	unknown	false
41.97.15.205	unknown	Algeria	36947	ALGTEL-ASDZ	false
47.101.21.217	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
200.164.68.140	unknown	Brazil	7738	TelemarNorteLesteSABR	false
216.107.146.42	unknown	United States	20278	NEXEONUS	false
106.10.231.220	unknown	Singapore	56173	YAHOO-SG3internetcontentproviderSG	false
248.239.3.124	unknown	Reserved	unknown	unknown	false
206.176.20.180	unknown	United States	22851	NSU-SDUS	false
178.178.13.56	unknown	Russian Federation	25159	SONICDUO-ASRU	false
221.4.223.185	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
149.109.163.226	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
54.44.2.152	unknown	United States	14618	AMAZON-AESUS	false
62.78.181.0	unknown	Finland	16086	DNAFI	false
154.91.52.21	unknown	Seychelles	62468	VPSQUANUS	false
163.151.39.94	unknown	United States	36161	WESTCHESTERCOUNTY-NYUS	false
181.152.32.197	unknown	Colombia	26611	COMCELSACO	false
108.28.236.149	unknown	United States	701	UUNETUS	false
111.6.69.172	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
78.93.243.132	unknown	Saudi Arabia	25233	AWALNET-ASNSA	false
60.87.12.18	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
119.107.244.169	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
18.163.241.145	unknown	United States	16509	AMAZON-02US	false
126.58.95.160	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
72.23.5.57	unknown	United States	27364	ACS-INTERNETUS	false
44.97.4.214	unknown	United States	7377	UCSDUS	false
45.244.146.89	unknown	Egypt	24863	LINKdotNET-ASEG	false
251.106.255.31	unknown	Reserved	unknown	unknown	false
65.67.37.241	unknown	United States	7018	ATT-INTERNET4US	false
253.194.92.93	unknown	Reserved	unknown	unknown	false
146.122.131.195	unknown	United States	22216	SIEMENS-PLMUS	false
193.89.106.134	unknown	Denmark	3292	TDCTDCASDK	false
23.54.60.124	unknown	United States	16625	AKAMAI-ASUS	false
27.193.150.188	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
200.246.226.12	unknown	Brazil	4230	CLAROSABR	false
187.123.171.57	unknown	Brazil	28573	CLAROSABR	false
81.221.46.157	unknown	Switzerland	1836	GREENgreenchAGAutonomousSystemEU	false
189.6.24.53	unknown	Brazil	28573	CLAROSABR	false
65.71.94.243	unknown	United States	7018	ATT-INTERNET4US	false
117.241.122.77	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
95.25.159.118	unknown	Russian Federation	3216	SOVAM-ASRU	false
36.228.128.198	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
158.193.226.165	unknown	Slovakia (SLOVAK Republic)	2607	SANETSlovakAcademicNetworkSK	false
12.122.193.204	unknown	United States	7018	ATT-INTERNET4US	false
92.29.42.240	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
2.46.240.136	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
124.20.249.100	unknown	China	7497	CSTNET-AS-APComputerNetworkInformationCenterCN	false
103.117.108.117	unknown	Bangladesh	137935	ILIS-AS-APILinkInternetServiceBD	false
36.73.61.185	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
80.178.27.50	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	false
163.52.238.118	unknown	unknown	2516	KDDIKDDICORPORATIONJP	false
203.198.234.145	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
201.103.48.20	unknown	Mexico	8151	UninetSAdeCVMX	false
57.46.12.214	unknown	Belgium	2686	ATGS-MMD-ASUS	false
36.70.155.73	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
78.200.186.78	unknown	France	12322	PROXADFR	false
162.5.107.138	unknown	United States	33348	PIERCE-COUNTYUS	false
20.35.186.177	unknown	United States	8070	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
178.122.24.177	unknown	Belarus	6697	BELPAK-ASBELPAKBY	false
162.97.87.246	unknown	United States	3356	LEVEL3US	false
41.145.10.73	unknown	South Africa	5713	SAIX-NETZA	false
155.244.147.141	unknown	United States	668	DNIC-AS-00668US	false
87.122.200.234	unknown	Germany	8881	VERSATELDE	false
121.17.44.98	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
136.104.45.67	unknown	United States	60311	ONEFMCH	false
242.147.54.104	unknown	Reserved	unknown	unknown	false
211.173.176.209	unknown	Korea Republic of	18313	PCN-AS-KRLGHelloVisionCorpKR	false
101.8.76.224	unknown	Taiwan; Republic of China (ROC)	701	UUNETUS	false
112.12.163.146	unknown	China	56041	CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC	false
104.33.227.124	unknown	United States	20001	TWC-20001-PACWESTUS	false
17.205.243.220	unknown	United States	714	APPLE-ENGINEERINGUS	false
181.12.5.240	unknown	Argentina	7303	TelecomArgentinaSAAR	false
101.174.190.113	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
57.238.159.174	unknown	Belgium	2686	ATGS-MMD-ASUS	false
17.132.134.142	unknown	United States	714	APPLE-ENGINEERINGUS	false
120.171.58.235	unknown	Indonesia	4761	INDOSAT-INP-APINDOSATInternetNetworkProviderID	false
124.115.165.91	unknown	China	4835	CHINANET-IDC-SNChinaTelecomGroupCN	false
178.107.239.74	unknown	United Kingdom	12576	EELtdGB	false
37.182.243.58	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
209.79.27.199	unknown	United States	32492	DANAUS	false
74.11.108.131	unknown	United States	7029	WINDSTREAMUS	false
37.113.150.151	unknown	Russian Federation	41661	ERTH-CHEL-ASRU	false
90.152.66.151	unknown	United Kingdom	8220	COLTCOLTTechnologyServicesGroupLimitedGB	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.130935158584685
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	dNLKZA6IVs
File size:	95440
MD5:	407a38109a75cc3a5845952e359e2255
SHA1:	d75de51babdf08188f91d4e854160349e5c0185e
SHA256:	6874279cf48edce8cef28cce5c397462f5eadad07887dfabfb8caccf5899c436
SHA512:	291ef493c14caecfa5c2b69ebad48edc8df741f9c454562bc0e0322dc917c6d252672f116767f52f4d4a7dda299c260551decbd2f367531c16b9bbae3aa49a3e
SSDEEP:	1536:OM8MGxYUd9YdLabp+1xOOLnRVTSphZ6CqhaSbuqL3Csvc3JY4h:iBx/di6E6OLnbO3ohYE/c5vh
TLSH:	8E9349C1B881A626C6D152BBFF5F418C331697A8D2DA33128C295F61778E92F0E37749
File Content Preview:	.ELF...a..........(.........4...@s......4. ...(......................k...k...............k...k...k......$3..........Q.td..................................-...L."...zR..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	95040
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x14a20	0x0	0x6	AX	16
.fini	PROGBITS	0x1cad0	0x14ad0	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1cae4	0x14ae4	0x2104	0x0	0x2	A	4
.ctors	PROGBITS	0x26bec	0x16bec	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x26bf4	0x16bf4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x26c00	0x16c00	0x700	0x0	0x3	WA	4
.bss	NOBITS	0x27300	0x17300	0x2c10	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x17300	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x16be8	0x16be8	6.1474	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x16bec	0x26bec	0x26bec	0x714	0x3324	4.3733	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 07:05:48.543663979 CEST	7547	52808	105.110.101.85	192.168.2.23
Aug 6, 2022 07:05:48.543857098 CEST	52808	7547	192.168.2.23	105.110.101.85
Aug 6, 2022 07:05:48.544434071 CEST	7547	52802	105.110.101.85	192.168.2.23
Aug 6, 2022 07:05:48.544549942 CEST	52802	7547	192.168.2.23	105.110.101.85
Aug 6, 2022 07:05:49.041810036 CEST	7547	52808	105.110.101.85	192.168.2.23
Aug 6, 2022 07:05:49.042152882 CEST	52808	7547	192.168.2.23	105.110.101.85
Aug 6, 2022 07:05:49.043477058 CEST	7547	52802	105.110.101.85	192.168.2.23
Aug 6, 2022 07:05:49.043653965 CEST	52802	7547	192.168.2.23	105.110.101.85
Aug 6, 2022 07:05:49.539753914 CEST	7547	52808	105.110.101.85	192.168.2.23
Aug 6, 2022 07:05:49.540065050 CEST	52808	7547	192.168.2.23	105.110.101.85
Aug 6, 2022 07:05:49.540445089 CEST	7547	52802	105.110.101.85	192.168.2.23
Aug 6, 2022 07:05:49.540549040 CEST	52802	7547	192.168.2.23	105.110.101.85
Aug 6, 2022 07:05:50.648637056 CEST	47362	23	192.168.2.23	202.183.87.80
Aug 6, 2022 07:05:50.648715019 CEST	47362	23	192.168.2.23	36.42.218.83
Aug 6, 2022 07:05:50.648736000 CEST	47362	23	192.168.2.23	194.196.235.203
Aug 6, 2022 07:05:50.648781061 CEST	47362	23	192.168.2.23	13.73.112.158
Aug 6, 2022 07:05:50.648782015 CEST	47362	23	192.168.2.23	150.164.107.187
Aug 6, 2022 07:05:50.648782969 CEST	47362	23	192.168.2.23	216.199.69.80
Aug 6, 2022 07:05:50.648797035 CEST	47362	23	192.168.2.23	173.207.17.142
Aug 6, 2022 07:05:50.648843050 CEST	47362	23	192.168.2.23	213.127.78.7
Aug 6, 2022 07:05:50.648845911 CEST	47362	23	192.168.2.23	203.182.69.185
Aug 6, 2022 07:05:50.648847103 CEST	47362	23	192.168.2.23	205.173.56.210
Aug 6, 2022 07:05:50.648849010 CEST	47362	23	192.168.2.23	85.228.242.238
Aug 6, 2022 07:05:50.648859024 CEST	47362	23	192.168.2.23	1.74.17.104
Aug 6, 2022 07:05:50.648885012 CEST	47362	23	192.168.2.23	92.244.110.210
Aug 6, 2022 07:05:50.648916960 CEST	47362	23	192.168.2.23	249.5.201.220
Aug 6, 2022 07:05:50.648941040 CEST	47362	23	192.168.2.23	177.139.176.115
Aug 6, 2022 07:05:50.648947954 CEST	47362	23	192.168.2.23	124.42.216.148
Aug 6, 2022 07:05:50.648960114 CEST	47362	23	192.168.2.23	58.28.185.231
Aug 6, 2022 07:05:50.648967028 CEST	47362	23	192.168.2.23	106.155.249.145
Aug 6, 2022 07:05:50.648983955 CEST	47362	23	192.168.2.23	158.216.238.194
Aug 6, 2022 07:05:50.648989916 CEST	47362	23	192.168.2.23	250.119.196.96
Aug 6, 2022 07:05:50.649002075 CEST	47362	23	192.168.2.23	141.250.43.84
Aug 6, 2022 07:05:50.649003029 CEST	47362	23	192.168.2.23	198.17.151.16
Aug 6, 2022 07:05:50.649012089 CEST	47362	23	192.168.2.23	125.125.170.224
Aug 6, 2022 07:05:50.649023056 CEST	47362	23	192.168.2.23	136.235.223.149
Aug 6, 2022 07:05:50.649030924 CEST	47362	23	192.168.2.23	160.227.81.22
Aug 6, 2022 07:05:50.649045944 CEST	47362	23	192.168.2.23	156.87.251.190
Aug 6, 2022 07:05:50.649056911 CEST	47362	23	192.168.2.23	87.127.18.159
Aug 6, 2022 07:05:50.649074078 CEST	47362	23	192.168.2.23	35.49.77.188
Aug 6, 2022 07:05:50.649080992 CEST	47362	23	192.168.2.23	255.92.209.243
Aug 6, 2022 07:05:50.649084091 CEST	47362	23	192.168.2.23	192.232.208.136
Aug 6, 2022 07:05:50.649097919 CEST	47362	23	192.168.2.23	31.100.170.253
Aug 6, 2022 07:05:50.649118900 CEST	47362	23	192.168.2.23	185.17.188.238
Aug 6, 2022 07:05:50.649125099 CEST	47362	23	192.168.2.23	89.194.161.18
Aug 6, 2022 07:05:50.649131060 CEST	47362	23	192.168.2.23	86.246.249.152
Aug 6, 2022 07:05:50.649147987 CEST	47362	23	192.168.2.23	164.133.121.43
Aug 6, 2022 07:05:50.649158955 CEST	47362	23	192.168.2.23	91.156.255.156
Aug 6, 2022 07:05:50.649162054 CEST	47362	23	192.168.2.23	153.12.230.92
Aug 6, 2022 07:05:50.649183035 CEST	47362	23	192.168.2.23	5.41.66.217
Aug 6, 2022 07:05:50.649185896 CEST	47362	23	192.168.2.23	211.27.62.93
Aug 6, 2022 07:05:50.649199963 CEST	47362	23	192.168.2.23	155.33.13.129
Aug 6, 2022 07:05:50.649208069 CEST	47362	23	192.168.2.23	243.162.254.159
Aug 6, 2022 07:05:50.649224043 CEST	47362	23	192.168.2.23	92.118.213.235
Aug 6, 2022 07:05:50.649243116 CEST	47362	23	192.168.2.23	240.121.246.82
Aug 6, 2022 07:05:50.649245024 CEST	47362	23	192.168.2.23	196.137.131.205
Aug 6, 2022 07:05:50.649259090 CEST	47362	23	192.168.2.23	246.162.150.3
Aug 6, 2022 07:05:50.649274111 CEST	47362	23	192.168.2.23	151.130.194.29
Aug 6, 2022 07:05:50.649276018 CEST	47362	23	192.168.2.23	207.80.114.120
Aug 6, 2022 07:05:50.649292946 CEST	47362	23	192.168.2.23	17.254.113.95
Aug 6, 2022 07:05:50.649296045 CEST	47362	23	192.168.2.23	217.110.29.85
Aug 6, 2022 07:05:50.649302006 CEST	47362	23	192.168.2.23	78.160.7.163
Aug 6, 2022 07:05:50.649322987 CEST	47362	23	192.168.2.23	90.27.52.240
Aug 6, 2022 07:05:50.649327040 CEST	47362	23	192.168.2.23	42.119.61.176
Aug 6, 2022 07:05:50.649328947 CEST	47362	23	192.168.2.23	92.17.155.224
Aug 6, 2022 07:05:50.649333954 CEST	47362	23	192.168.2.23	38.50.189.207
Aug 6, 2022 07:05:50.649347067 CEST	47362	23	192.168.2.23	103.144.200.63
Aug 6, 2022 07:05:50.649354935 CEST	47362	23	192.168.2.23	13.81.50.119
Aug 6, 2022 07:05:50.649367094 CEST	47362	23	192.168.2.23	95.3.112.196
Aug 6, 2022 07:05:50.649377108 CEST	47362	23	192.168.2.23	210.46.111.149
Aug 6, 2022 07:05:50.649380922 CEST	47362	23	192.168.2.23	156.65.137.130
Aug 6, 2022 07:05:50.649400949 CEST	47362	23	192.168.2.23	142.131.208.248
Aug 6, 2022 07:05:50.649420977 CEST	47362	23	192.168.2.23	155.133.46.75
Aug 6, 2022 07:05:50.649452925 CEST	47362	23	192.168.2.23	206.98.210.239
Aug 6, 2022 07:05:50.649483919 CEST	47362	23	192.168.2.23	193.23.107.187
Aug 6, 2022 07:05:50.649487019 CEST	47362	23	192.168.2.23	187.61.76.89
Aug 6, 2022 07:05:50.649496078 CEST	47362	23	192.168.2.23	75.104.247.250
Aug 6, 2022 07:05:50.649521112 CEST	47362	23	192.168.2.23	45.234.120.175
Aug 6, 2022 07:05:50.649544001 CEST	47362	23	192.168.2.23	89.170.84.70
Aug 6, 2022 07:05:50.649544954 CEST	47362	23	192.168.2.23	71.246.183.81
Aug 6, 2022 07:05:50.649553061 CEST	47362	23	192.168.2.23	155.38.18.52
Aug 6, 2022 07:05:50.649564981 CEST	47362	23	192.168.2.23	218.174.172.252
Aug 6, 2022 07:05:50.649565935 CEST	47362	23	192.168.2.23	164.50.136.168
Aug 6, 2022 07:05:50.649568081 CEST	47362	23	192.168.2.23	38.6.96.163
Aug 6, 2022 07:05:50.649585009 CEST	47362	23	192.168.2.23	112.124.224.44
Aug 6, 2022 07:05:50.649596930 CEST	47362	23	192.168.2.23	12.103.117.19
Aug 6, 2022 07:05:50.649604082 CEST	47362	23	192.168.2.23	177.56.17.28
Aug 6, 2022 07:05:50.649607897 CEST	47362	23	192.168.2.23	5.70.70.210
Aug 6, 2022 07:05:50.649616003 CEST	47362	23	192.168.2.23	95.210.230.145
Aug 6, 2022 07:05:50.649622917 CEST	47362	23	192.168.2.23	18.169.152.105
Aug 6, 2022 07:05:50.649631023 CEST	47362	23	192.168.2.23	48.170.249.160
Aug 6, 2022 07:05:50.649636984 CEST	47362	23	192.168.2.23	32.73.40.239
Aug 6, 2022 07:05:50.649655104 CEST	47362	23	192.168.2.23	82.8.134.203
Aug 6, 2022 07:05:50.649672031 CEST	47362	23	192.168.2.23	206.100.116.87
Aug 6, 2022 07:05:50.649683952 CEST	47362	23	192.168.2.23	185.185.88.113
Aug 6, 2022 07:05:50.649693012 CEST	47362	23	192.168.2.23	241.13.155.48
Aug 6, 2022 07:05:50.649710894 CEST	47362	23	192.168.2.23	147.84.192.56
Aug 6, 2022 07:05:50.649727106 CEST	47362	23	192.168.2.23	145.149.231.21
Aug 6, 2022 07:05:50.649739981 CEST	47362	23	192.168.2.23	59.61.192.81
Aug 6, 2022 07:05:50.649763107 CEST	47362	23	192.168.2.23	188.221.224.134

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2022 07:05:50.702507019 CEST	192.168.2.23	8.8.8.8	0x54be	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:05:54.752630949 CEST	192.168.2.23	8.8.8.8	0xfd19	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:04.801067114 CEST	192.168.2.23	8.8.8.8	0x7ed2	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:10.870327950 CEST	192.168.2.23	8.8.8.8	0x901	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:13.919563055 CEST	192.168.2.23	8.8.8.8	0x4d1d	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:23.967844963 CEST	192.168.2.23	8.8.8.8	0xc51e	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:34.017163992 CEST	192.168.2.23	8.8.8.8	0x7948	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:41.095558882 CEST	192.168.2.23	8.8.8.8	0x3ffa	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:51.144331932 CEST	192.168.2.23	8.8.8.8	0x3dcb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:00.192339897 CEST	192.168.2.23	8.8.8.8	0x4f47	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:08.239928961 CEST	192.168.2.23	8.8.8.8	0xb150	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:11.288945913 CEST	192.168.2.23	8.8.8.8	0x7f91	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:19.338779926 CEST	192.168.2.23	8.8.8.8	0xdeb1	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:27.385957003 CEST	192.168.2.23	8.8.8.8	0xbb86	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:28.435435057 CEST	192.168.2.23	8.8.8.8	0x1086	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:35.483746052 CEST	192.168.2.23	8.8.8.8	0x16d5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:37.544806004 CEST	192.168.2.23	8.8.8.8	0x9c30	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:40.602895021 CEST	192.168.2.23	8.8.8.8	0xa552	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:44.651293039 CEST	192.168.2.23	8.8.8.8	0xb4cf	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:49.700762987 CEST	192.168.2.23	8.8.8.8	0x261b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:59.748364925 CEST	192.168.2.23	8.8.8.8	0x4783	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:09.796504974 CEST	192.168.2.23	8.8.8.8	0xb28c	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:11.843915939 CEST	192.168.2.23	8.8.8.8	0x6c65	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:15.962863922 CEST	192.168.2.23	8.8.8.8	0x2e7	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:20.019285917 CEST	192.168.2.23	8.8.8.8	0x261c	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:21.067440033 CEST	192.168.2.23	8.8.8.8	0xe77a	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:29.115253925 CEST	192.168.2.23	8.8.8.8	0xd4bf	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:32.161578894 CEST	192.168.2.23	8.8.8.8	0x5241	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:39.616389990 CEST	192.168.2.23	8.8.8.8	0x54be	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:41.209120035 CEST	192.168.2.23	8.8.8.8	0x3989	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:43.674951077 CEST	192.168.2.23	8.8.8.8	0xfd19	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:49.257905006 CEST	192.168.2.23	8.8.8.8	0x4b22	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:52.303738117 CEST	192.168.2.23	8.8.8.8	0xcee4	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:53.720870018 CEST	192.168.2.23	8.8.8.8	0x7ed2	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:55.352310896 CEST	192.168.2.23	8.8.8.8	0xc7de	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:58.767436981 CEST	192.168.2.23	8.8.8.8	0x901	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:00.400082111 CEST	192.168.2.23	8.8.8.8	0x4610	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:01.827549934 CEST	192.168.2.23	8.8.8.8	0x4d1d	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:03.446547985 CEST	192.168.2.23	8.8.8.8	0xc471	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:07.495101929 CEST	192.168.2.23	8.8.8.8	0xf3b9	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:11.875713110 CEST	192.168.2.23	8.8.8.8	0xc51e	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:16.541476965 CEST	192.168.2.23	8.8.8.8	0x18f3	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:19.592694998 CEST	192.168.2.23	8.8.8.8	0xb147	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:21.966418028 CEST	192.168.2.23	8.8.8.8	0x7948	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:22.641074896 CEST	192.168.2.23	8.8.8.8	0x3f83	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:23.690777063 CEST	192.168.2.23	8.8.8.8	0x937d	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 6, 2022 07:05:50.719547033 CEST	8.8.8.8	192.168.2.23	0x54be	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:05:54.772036076 CEST	8.8.8.8	192.168.2.23	0xfd19	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:04.818865061 CEST	8.8.8.8	192.168.2.23	0x7ed2	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:10.890026093 CEST	8.8.8.8	192.168.2.23	0x901	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:13.938627958 CEST	8.8.8.8	192.168.2.23	0x4d1d	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:23.987060070 CEST	8.8.8.8	192.168.2.23	0xc51e	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:34.037628889 CEST	8.8.8.8	192.168.2.23	0x7948	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:41.115243912 CEST	8.8.8.8	192.168.2.23	0x3ffa	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:06:51.163902998 CEST	8.8.8.8	192.168.2.23	0x3dcb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:00.210024118 CEST	8.8.8.8	192.168.2.23	0x4f47	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:08.259632111 CEST	8.8.8.8	192.168.2.23	0xb150	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:11.308566093 CEST	8.8.8.8	192.168.2.23	0x7f91	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:19.356323004 CEST	8.8.8.8	192.168.2.23	0xdeb1	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:27.405544043 CEST	8.8.8.8	192.168.2.23	0xbb86	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:28.455080032 CEST	8.8.8.8	192.168.2.23	0x1086	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:35.504062891 CEST	8.8.8.8	192.168.2.23	0x16d5	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:37.573424101 CEST	8.8.8.8	192.168.2.23	0x9c30	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:40.622441053 CEST	8.8.8.8	192.168.2.23	0xa552	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:44.670378923 CEST	8.8.8.8	192.168.2.23	0xb4cf	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:49.720315933 CEST	8.8.8.8	192.168.2.23	0x261b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:07:59.768058062 CEST	8.8.8.8	192.168.2.23	0x4783	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:09.814372063 CEST	8.8.8.8	192.168.2.23	0xb28c	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:11.875591993 CEST	8.8.8.8	192.168.2.23	0x6c65	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:15.982000113 CEST	8.8.8.8	192.168.2.23	0x2e7	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:20.038809061 CEST	8.8.8.8	192.168.2.23	0x261c	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:21.084737062 CEST	8.8.8.8	192.168.2.23	0xe77a	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:29.132872105 CEST	8.8.8.8	192.168.2.23	0xd4bf	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:32.180759907 CEST	8.8.8.8	192.168.2.23	0x5241	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:39.635659933 CEST	8.8.8.8	192.168.2.23	0x54be	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:41.228621960 CEST	8.8.8.8	192.168.2.23	0x3989	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:43.692435980 CEST	8.8.8.8	192.168.2.23	0xfd19	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:49.274925947 CEST	8.8.8.8	192.168.2.23	0x4b22	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:52.323026896 CEST	8.8.8.8	192.168.2.23	0xcee4	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:53.738450050 CEST	8.8.8.8	192.168.2.23	0x7ed2	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:55.369638920 CEST	8.8.8.8	192.168.2.23	0xc7de	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:08:58.795795918 CEST	8.8.8.8	192.168.2.23	0x901	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:00.417481899 CEST	8.8.8.8	192.168.2.23	0x4610	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:01.847336054 CEST	8.8.8.8	192.168.2.23	0x4d1d	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:03.466379881 CEST	8.8.8.8	192.168.2.23	0xc471	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:07.512717009 CEST	8.8.8.8	192.168.2.23	0xf3b9	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:11.894723892 CEST	8.8.8.8	192.168.2.23	0xc51e	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:16.560956955 CEST	8.8.8.8	192.168.2.23	0x18f3	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:19.612413883 CEST	8.8.8.8	192.168.2.23	0xb147	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:21.986105919 CEST	8.8.8.8	192.168.2.23	0x7948	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:22.660722971 CEST	8.8.8.8	192.168.2.23	0x3f83	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:09:23.710640907 CEST	8.8.8.8	192.168.2.23	0x937d	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: dNLKZA6IVs PID: 6231, Parent PID: 6125

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	/tmp/dNLKZA6IVs
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6233, Parent PID: 6231

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6234, Parent PID: 6231

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6235, Parent PID: 6231

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6238, Parent PID: 6231

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6242, Parent PID: 6238

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6329, Parent PID: 6242

General

Start time:	07:08:38
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: dNLKZA6IVs PID: 6243, Parent PID: 6238

General

Start time:	07:05:49
Start date:	06/08/2022
Path:	/tmp/dNLKZA6IVs
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report dNLKZA6IVs

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: dNLKZA6IVs PID: 6231, Parent PID: 6125

General

Analysis Process: dNLKZA6IVs PID: 6233, Parent PID: 6231

General

Analysis Process: dNLKZA6IVs PID: 6234, Parent PID: 6231

General

Analysis Process: dNLKZA6IVs PID: 6235, Parent PID: 6231

General

Analysis Process: dNLKZA6IVs PID: 6238, Parent PID: 6231

General

Analysis Process: dNLKZA6IVs PID: 6242, Parent PID: 6238

General

Analysis Process: dNLKZA6IVs PID: 6329, Parent PID: 6242

General

Analysis Process: dNLKZA6IVs PID: 6243, Parent PID: 6238

General

Linux Analysis Report
dNLKZA6IVs