Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
35JTigDQD0.elf

Overview

General Information

Sample Name:35JTigDQD0.elf
Analysis ID:755694
MD5:0fbe8cba363d1ca3de62343266244286
SHA1:d2ce4c0b48b3075ad04370b9639a6f6ce2a1d20c
SHA256:95374214630d9aa7c9d8dccb051df549cc1c7dbc21dda9285857344064012e4e
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:755694
Start date and time:2022-11-29 02:20:00 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 39s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:35JTigDQD0.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal80.troj.evad.linELF@0/0@0/0
  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100
Command:/tmp/35JTigDQD0.elf
PID:6234
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Connected To CNC
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6237.1.00007f994c455000.00007f994c457000.rw-.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x1584:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x15f8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x166c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x16e0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1754:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x19d4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1a2c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1a84:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1adc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1b34:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6237.1.00007f994c400000.00007f994c415000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
    • 0x145b8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14628:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14698:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14708:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14778:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x149e8:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14a3c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14a90:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14ae4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
    6237.1.00007f994c400000.00007f994c415000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
    • 0x13e50:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
    6237.1.00007f994c400000.00007f994c415000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      6243.1.00007f994c400000.00007f994c415000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
      • 0x145b8:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14628:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14698:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14708:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14778:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x149e8:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14a3c:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14a90:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14ae4:$xo1: oMXKNNC\x0D\x17\x0C\x12
      • 0x14b38:$xo1: oMXKNNC\x0D\x17\x0C\x12
      Click to see the 7 entries
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 35JTigDQD0.elfReversingLabs: Detection: 56%
      Source: 35JTigDQD0.elfVirustotal: Detection: 39%Perma Link

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57126
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57166
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57176
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57178
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57180
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57182
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57184
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57186
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57188
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57210
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51494
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51498
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51500
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51504
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51506
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51508
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51514
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51520
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51522
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51526
      Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
      Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
      Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
      Source: global trafficTCP traffic: 192.168.2.23:51412 -> 84.21.172.198:1312
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
      Source: unknownTCP traffic detected without corresponding DNS query: 84.21.172.198
      Source: unknownTCP traffic detected without corresponding DNS query: 34.176.109.115
      Source: unknownTCP traffic detected without corresponding DNS query: 47.95.37.115
      Source: unknownTCP traffic detected without corresponding DNS query: 106.28.157.36
      Source: unknownTCP traffic detected without corresponding DNS query: 193.128.69.135
      Source: unknownTCP traffic detected without corresponding DNS query: 188.171.121.112
      Source: unknownTCP traffic detected without corresponding DNS query: 47.197.229.93
      Source: unknownTCP traffic detected without corresponding DNS query: 68.154.51.71
      Source: unknownTCP traffic detected without corresponding DNS query: 139.27.37.191
      Source: unknownTCP traffic detected without corresponding DNS query: 141.28.148.86
      Source: unknownTCP traffic detected without corresponding DNS query: 70.117.179.100
      Source: unknownTCP traffic detected without corresponding DNS query: 174.183.250.153
      Source: unknownTCP traffic detected without corresponding DNS query: 67.126.232.20
      Source: unknownTCP traffic detected without corresponding DNS query: 254.93.135.244
      Source: unknownTCP traffic detected without corresponding DNS query: 5.46.95.207
      Source: unknownTCP traffic detected without corresponding DNS query: 35.195.47.216
      Source: unknownTCP traffic detected without corresponding DNS query: 125.116.83.39
      Source: unknownTCP traffic detected without corresponding DNS query: 246.50.49.223
      Source: unknownTCP traffic detected without corresponding DNS query: 109.133.122.164
      Source: unknownTCP traffic detected without corresponding DNS query: 201.143.221.133
      Source: unknownTCP traffic detected without corresponding DNS query: 165.90.28.228
      Source: unknownTCP traffic detected without corresponding DNS query: 128.254.49.90
      Source: unknownTCP traffic detected without corresponding DNS query: 159.12.116.240
      Source: unknownTCP traffic detected without corresponding DNS query: 216.142.186.206
      Source: unknownTCP traffic detected without corresponding DNS query: 72.1.142.217
      Source: unknownTCP traffic detected without corresponding DNS query: 57.76.71.8
      Source: unknownTCP traffic detected without corresponding DNS query: 162.178.70.236
      Source: unknownTCP traffic detected without corresponding DNS query: 75.209.56.66
      Source: unknownTCP traffic detected without corresponding DNS query: 125.96.89.18
      Source: unknownTCP traffic detected without corresponding DNS query: 211.127.191.133
      Source: unknownTCP traffic detected without corresponding DNS query: 172.106.13.152
      Source: unknownTCP traffic detected without corresponding DNS query: 107.88.70.173
      Source: unknownTCP traffic detected without corresponding DNS query: 101.75.138.233
      Source: unknownTCP traffic detected without corresponding DNS query: 171.148.45.46
      Source: unknownTCP traffic detected without corresponding DNS query: 250.76.192.64
      Source: unknownTCP traffic detected without corresponding DNS query: 12.86.204.11
      Source: unknownTCP traffic detected without corresponding DNS query: 103.244.134.156
      Source: unknownTCP traffic detected without corresponding DNS query: 197.0.21.59
      Source: unknownTCP traffic detected without corresponding DNS query: 125.72.101.39
      Source: unknownTCP traffic detected without corresponding DNS query: 196.230.225.168
      Source: unknownTCP traffic detected without corresponding DNS query: 76.255.64.105
      Source: unknownTCP traffic detected without corresponding DNS query: 121.151.238.119
      Source: unknownTCP traffic detected without corresponding DNS query: 116.142.203.156
      Source: unknownTCP traffic detected without corresponding DNS query: 198.138.187.17
      Source: unknownTCP traffic detected without corresponding DNS query: 5.1.132.176
      Source: unknownTCP traffic detected without corresponding DNS query: 23.180.244.14
      Source: unknownTCP traffic detected without corresponding DNS query: 166.199.132.180
      Source: unknownTCP traffic detected without corresponding DNS query: 144.50.173.123
      Source: unknownTCP traffic detected without corresponding DNS query: 19.130.192.90
      Source: unknownTCP traffic detected without corresponding DNS query: 244.241.220.42
      Source: 35JTigDQD0.elfString found in binary or memory: http://upx.sf.net

      System Summary

      barindex
      Source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
      Source: LOAD without section mappingsProgram segment: 0x100000
      Source: 6237.1.00007f994c455000.00007f994c457000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: 6243.1.00007f994c455000.00007f994c457000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6234.1.00007f994c455000.00007f994c457000.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
      Source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
      Source: classification engineClassification label: mal80.troj.evad.linELF@0/0@0/0

      Data Obfuscation

      barindex
      Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
      Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
      Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/6236/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1582/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2033/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2275/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/3088/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/6191/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/6190/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1612/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1579/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1699/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1335/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1698/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2028/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1334/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1576/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2302/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/3236/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2025/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2146/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/910/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/912/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/517/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/759/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2307/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/918/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4461/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/6246/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1594/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2285/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2281/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1349/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1623/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/761/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1622/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/884/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1983/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2038/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1344/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1465/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1586/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1860/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1463/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2156/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/800/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/801/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1629/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1627/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1900/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/3021/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/491/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2294/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2050/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1877/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/772/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1633/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1599/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1632/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/774/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1477/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/654/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/896/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1476/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1872/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2048/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/655/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1475/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2289/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/656/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/777/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/657/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4466/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/658/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4467/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4468/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4469/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4502/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/419/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/936/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1639/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1638/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2208/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2180/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1809/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1494/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1890/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2063/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2062/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1888/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1886/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/420/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1489/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/785/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1642/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/788/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/667/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/789/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/1648/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4494/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/6157/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2078/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2077/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2074/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/2195/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/670/exe
      Source: /tmp/35JTigDQD0.elf (PID: 6242)File opened: /proc/4490/exe

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57126
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57166
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57176
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57178
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57180
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57182
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57184
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57186
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57188
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 57210
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51494
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51498
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51500
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51504
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51506
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51508
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51514
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51520
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51522
      Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51526
      Source: 35JTigDQD0.elfSubmission file: segment LOAD with 7.9036 entropy (max. 8.0)
      Source: /tmp/35JTigDQD0.elf (PID: 6234)Queries kernel information via 'uname':
      Source: 35JTigDQD0.elf, 6234.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/35JTigDQD0.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/35JTigDQD0.elf
      Source: 35JTigDQD0.elf, 6234.1.0000558506145000.00005585061ec000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.0000558506145000.00005585061cc000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.0000558506145000.00005585061cc000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
      Source: 35JTigDQD0.elf, 6234.1.0000558506145000.00005585061ec000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.0000558506145000.00005585061cc000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.0000558506145000.00005585061cc000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
      Source: 35JTigDQD0.elf, 6234.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6237.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmp, 35JTigDQD0.elf, 6243.1.00007ffdb4a60000.00007ffdb4a81000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: dump.pcap, type: PCAP

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 6237.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6243.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6234.1.00007f994c400000.00007f994c415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
      Obfuscated Files or Information
      1
      OS Credential Dumping
      11
      Security Software Discovery
      Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
      Non-Standard Port
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755694 Sample: 35JTigDQD0.elf Startdate: 29/11/2022 Architecture: LINUX Score: 80 22 89.18.129.68 WIPLINE-ASRU Russian Federation 2->22 24 161.172.49.114 WAL-MARTUS United States 2->24 26 98 other IPs or domains 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Mirai 2->32 34 2 other signatures 2->34 8 35JTigDQD0.elf 2->8         started        signatures3 process4 process5 10 35JTigDQD0.elf 8->10         started        12 35JTigDQD0.elf 8->12         started        14 35JTigDQD0.elf 8->14         started        process6 16 35JTigDQD0.elf 10->16         started        18 35JTigDQD0.elf 10->18         started        20 35JTigDQD0.elf 10->20         started       
      SourceDetectionScannerLabelLink
      35JTigDQD0.elf56%ReversingLabsLinux.Trojan.Mirai
      35JTigDQD0.elf40%VirustotalBrowse
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://upx.sf.net35JTigDQD0.elffalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        170.174.163.163
        unknownUnited States
        11685HNBCOL-ASUSfalse
        254.43.117.149
        unknownReserved
        unknownunknownfalse
        40.61.112.220
        unknownUnited States
        4249LILLY-ASUSfalse
        136.62.37.196
        unknownUnited States
        16591GOOGLE-FIBERUSfalse
        194.94.41.5
        unknownGermany
        680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
        141.100.144.49
        unknownGermany
        8365MANDADEfalse
        167.198.101.64
        unknownUnited States
        2897GEORGIA-1USfalse
        108.67.11.101
        unknownUnited States
        7018ATT-INTERNET4USfalse
        190.111.223.209
        unknownArgentina
        11014CPSARfalse
        143.255.60.209
        unknownBrazil
        263037SULNETTELECOMBRfalse
        167.29.26.152
        unknownUnited States
        14303MEMASN1USfalse
        94.45.41.9
        unknownUkraine
        15683DOMASHKA-ASUAfalse
        254.106.131.1
        unknownReserved
        unknownunknownfalse
        242.31.147.10
        unknownReserved
        unknownunknownfalse
        119.159.60.13
        unknownPakistan
        45595PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPKfalse
        248.146.211.203
        unknownReserved
        unknownunknownfalse
        113.131.9.39
        unknownKorea Republic of
        9697CJHAEUNDAEGIJANG-AS-KRLGHelloVisionCorpKRfalse
        192.228.202.25
        unknownMalaysia
        9930TTNET-MYTIMEdotComBerhadMYfalse
        202.77.6.210
        unknownHong Kong
        9269HKBN-AS-APHongKongBroadbandNetworkLtdHKfalse
        65.49.157.64
        unknownCanada
        25914QCC-ASCAfalse
        161.2.87.169
        unknownUnited Kingdom
        15914BritishAirwaysGBfalse
        169.113.31.171
        unknownUnited States
        37611AfrihostZAfalse
        187.94.22.177
        unknownBrazil
        53075HolisticaProvedorInternetLtdaBRfalse
        89.18.129.68
        unknownRussian Federation
        15930WIPLINE-ASRUfalse
        125.138.193.77
        unknownKorea Republic of
        4766KIXS-AS-KRKoreaTelecomKRfalse
        151.226.23.42
        unknownUnited Kingdom
        5607BSKYB-BROADBAND-ASGBfalse
        243.74.28.29
        unknownReserved
        unknownunknownfalse
        119.35.38.56
        unknownChina
        17622CNCGROUP-GZChinaUnicomGuangzhounetworkCNfalse
        86.116.2.210
        unknownSwitzerland
        9142CommercialISPGBfalse
        4.195.92.116
        unknownUnited States
        3356LEVEL3USfalse
        146.85.165.64
        unknownUnited States
        600OARNET-ASUSfalse
        221.4.223.179
        unknownChina
        17816CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovifalse
        178.97.170.185
        unknownUnited Kingdom
        12576EELtdGBfalse
        170.112.93.142
        unknownUnited States
        22347DORSEY-WHITNEYUSfalse
        222.248.17.233
        unknownChina
        17962TOPWAY-NETShenZhenTopwayVideoCommunicationCoLtdCNfalse
        48.110.84.154
        unknownUnited States
        2686ATGS-MMD-ASUSfalse
        175.76.230.218
        unknownChina
        9394CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
        84.121.185.116
        unknownSpain
        12357COMUNITELSPAINESfalse
        133.187.177.84
        unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
        82.158.45.235
        unknownSpain
        12357COMUNITELSPAINESfalse
        89.121.132.176
        unknownRomania
        9050RTDBucharestRomaniaROfalse
        135.173.127.135
        unknownUnited States
        14962NCR-252USfalse
        141.61.212.240
        unknownGermany
        680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
        244.67.149.101
        unknownReserved
        unknownunknownfalse
        221.108.95.164
        unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
        80.147.6.205
        unknownGermany
        3320DTAGInternetserviceprovideroperationsDEfalse
        123.50.17.4
        unknownJapan10013FBDCFreeBitCoLtdJPfalse
        102.6.205.106
        unknownunknown
        36926CKL1-ASNKEfalse
        87.151.1.59
        unknownGermany
        3320DTAGInternetserviceprovideroperationsDEfalse
        249.158.5.25
        unknownReserved
        unknownunknownfalse
        161.172.49.114
        unknownUnited States
        10695WAL-MARTUSfalse
        153.49.4.172
        unknownUnited States
        1226CTA-42-AS1226USfalse
        178.213.15.5
        unknownRussian Federation
        51507ASINTELLEKTRUfalse
        78.128.33.110
        unknownBulgaria
        60656BOLBGIZTOKBGfalse
        99.23.87.116
        unknownUnited States
        7018ATT-INTERNET4USfalse
        149.235.72.192
        unknownUnited Kingdom
        203160OPENTEXT-AS-EUFRfalse
        84.220.45.203
        unknownItaly
        8612TISCALI-ITfalse
        163.54.154.32
        unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
        105.183.106.124
        unknownEgypt
        37069MOBINILEGfalse
        219.49.231.14
        unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
        171.198.43.91
        unknownUnited States
        10794BANKAMERICAUSfalse
        96.168.64.208
        unknownUnited States
        7922COMCAST-7922USfalse
        162.19.169.153
        unknownUnited States
        209CENTURYLINK-US-LEGACY-QWESTUSfalse
        177.224.246.15
        unknownMexico
        13999MegaCableSAdeCVMXfalse
        120.168.146.169
        unknownIndonesia
        4761INDOSAT-INP-APINDOSATInternetNetworkProviderIDfalse
        242.72.150.182
        unknownReserved
        unknownunknownfalse
        149.56.12.10
        unknownCanada
        16276OVHFRfalse
        79.247.204.124
        unknownGermany
        3320DTAGInternetserviceprovideroperationsDEfalse
        176.68.36.207
        unknownSweden
        1257TELE2EUfalse
        59.235.240.237
        unknownChina
        2516KDDIKDDICORPORATIONJPfalse
        240.47.4.214
        unknownReserved
        unknownunknownfalse
        151.228.111.187
        unknownUnited Kingdom
        5607BSKYB-BROADBAND-ASGBfalse
        93.29.76.255
        unknownFrance
        15557LDCOMNETFRfalse
        249.133.49.164
        unknownReserved
        unknownunknownfalse
        250.149.150.17
        unknownReserved
        unknownunknownfalse
        201.78.56.2
        unknownBrazil
        7738TelemarNorteLesteSABRfalse
        37.165.124.199
        unknownFrance
        51207FREEMFRfalse
        66.18.178.165
        unknownUnited States
        16564ADAMS-WELLS-INTERNETUSfalse
        251.71.27.209
        unknownReserved
        unknownunknownfalse
        179.30.41.192
        unknownUruguay
        6057AdministracionNacionaldeTelecomunicacionesUYfalse
        218.142.4.248
        unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
        175.229.12.155
        unknownKorea Republic of
        4766KIXS-AS-KRKoreaTelecomKRfalse
        150.217.3.101
        unknownItaly
        137ASGARRConsortiumGARREUfalse
        73.60.221.30
        unknownUnited States
        7922COMCAST-7922USfalse
        72.215.249.211
        unknownUnited States
        22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
        95.241.184.169
        unknownItaly
        3269ASN-IBSNAZITfalse
        95.77.122.224
        unknownRomania
        6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
        82.142.5.104
        unknownFrance
        12322PROXADFRfalse
        120.140.169.0
        unknownMalaysia
        45177DEVOLI-AS-APDevoliNZfalse
        198.116.123.219
        unknownUnited States
        297AS297USfalse
        41.206.119.139
        unknownMauritius
        37100SEACOM-ASMUfalse
        112.172.186.199
        unknownKorea Republic of
        4766KIXS-AS-KRKoreaTelecomKRfalse
        199.28.143.137
        unknownUnited States
        3379KAISER-NCALUSfalse
        240.34.37.251
        unknownReserved
        unknownunknownfalse
        117.5.136.97
        unknownViet Nam
        7552VIETEL-AS-APViettelGroupVNfalse
        53.118.153.234
        unknownGermany
        31399DAIMLER-ASITIGNGlobalNetworkDEfalse
        120.188.79.191
        unknownIndonesia
        4761INDOSAT-INP-APINDOSATInternetNetworkProviderIDfalse
        68.164.148.178
        unknownUnited States
        18566MEGAPATH5-USfalse
        168.82.87.213
        unknownUnited States
        8103STATE-OF-FLAUSfalse
        4.34.175.202
        unknownUnited States
        3356LEVEL3USfalse
        No context
        No context
        No context
        No context
        No context
        No created / dropped files found
        File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
        Entropy (8bit):7.899963172523559
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:35JTigDQD0.elf
        File size:30324
        MD5:0fbe8cba363d1ca3de62343266244286
        SHA1:d2ce4c0b48b3075ad04370b9639a6f6ce2a1d20c
        SHA256:95374214630d9aa7c9d8dccb051df549cc1c7dbc21dda9285857344064012e4e
        SHA512:139a29ed8475f877de14014f1ff383903732933af51698b10c5ebc635b03fb73133ff1634cd371d461d0f3dc6bad2737e9f86862b0989eaa5ff9556ec291c00a
        SSDEEP:768:D1uUtLrVDsAp6tLkF4FuetwEub4sU/M9g36KN0+YZ4JbKWUT:DbDs06t4BEub4sU/MbUHYZ4+T
        TLSH:ADD2E01CD94C7905C7AD3EB950DE55F6398C70C0A35DEA8E17268448FA2BA8BBC0B0F4
        File Content Preview:.ELF.....................b..4...........4. ...(.....................Mu..Mu...............[...[E..[E.................u...UPX!d........Z...Z......S..........?.E.h;....#......b.L#8....&C........}+..ze.aw....2"ds...:.Z...;.g...l.D.....t6/..N.."^.............+

        ELF header

        Class:
        Data:
        Version:
        Machine:
        Version Number:
        Type:
        OS/ABI:
        ABI Version:
        Entry Point Address:
        Flags:
        ELF Header Size:
        Program Header Offset:
        Program Header Size:
        Number of Program Headers:
        Section Header Offset:
        Section Header Size:
        Number of Section Headers:
        Header String Table Index:
        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x1000000x1000000x754d0x754d7.90360x5R E0x10000
        LOAD0x5b000x455b000x455b000x00x00.00000x6RW 0x10000
        TimestampSource PortDest PortSource IPDest IP
        Nov 29, 2022 02:20:45.945386887 CET514121312192.168.2.2384.21.172.198
        Nov 29, 2022 02:20:45.957595110 CET5156223192.168.2.2334.176.109.115
        Nov 29, 2022 02:20:45.957839012 CET5156223192.168.2.2347.95.37.115
        Nov 29, 2022 02:20:45.957889080 CET5156223192.168.2.23106.28.157.36
        Nov 29, 2022 02:20:45.957982063 CET5156223192.168.2.23193.128.69.135
        Nov 29, 2022 02:20:45.958058119 CET5156223192.168.2.23188.171.121.112
        Nov 29, 2022 02:20:45.958061934 CET5156223192.168.2.2347.197.229.93
        Nov 29, 2022 02:20:45.958070040 CET5156223192.168.2.2368.154.51.71
        Nov 29, 2022 02:20:45.958177090 CET5156223192.168.2.23139.27.37.191
        Nov 29, 2022 02:20:45.958185911 CET5156223192.168.2.23141.28.148.86
        Nov 29, 2022 02:20:45.958211899 CET5156223192.168.2.238.110.185.28
        Nov 29, 2022 02:20:45.958235979 CET5156223192.168.2.2370.117.179.100
        Nov 29, 2022 02:20:45.958235979 CET5156223192.168.2.23174.183.250.153
        Nov 29, 2022 02:20:45.958264112 CET5156223192.168.2.2367.126.232.20
        Nov 29, 2022 02:20:45.958303928 CET5156223192.168.2.23254.93.135.244
        Nov 29, 2022 02:20:45.958313942 CET5156223192.168.2.235.46.95.207
        Nov 29, 2022 02:20:45.958333969 CET5156223192.168.2.2335.195.47.216
        Nov 29, 2022 02:20:45.958357096 CET5156223192.168.2.23125.116.83.39
        Nov 29, 2022 02:20:45.958357096 CET5156223192.168.2.23246.50.49.223
        Nov 29, 2022 02:20:45.958365917 CET5156223192.168.2.23109.133.122.164
        Nov 29, 2022 02:20:45.958389044 CET5156223192.168.2.23201.143.221.133
        Nov 29, 2022 02:20:45.958448887 CET5156223192.168.2.23165.90.28.228
        Nov 29, 2022 02:20:45.958448887 CET5156223192.168.2.23128.254.49.90
        Nov 29, 2022 02:20:45.958565950 CET5156223192.168.2.23159.12.116.240
        Nov 29, 2022 02:20:45.958574057 CET5156223192.168.2.23216.142.186.206
        Nov 29, 2022 02:20:45.958595037 CET5156223192.168.2.2372.1.142.217
        Nov 29, 2022 02:20:45.958606005 CET5156223192.168.2.2357.76.71.8
        Nov 29, 2022 02:20:45.958719015 CET5156223192.168.2.23162.178.70.236
        Nov 29, 2022 02:20:45.958731890 CET5156223192.168.2.2375.209.56.66
        Nov 29, 2022 02:20:45.958731890 CET5156223192.168.2.23125.96.89.18
        Nov 29, 2022 02:20:45.958734035 CET5156223192.168.2.23211.127.191.133
        Nov 29, 2022 02:20:45.958781004 CET5156223192.168.2.23172.106.13.152
        Nov 29, 2022 02:20:45.958856106 CET5156223192.168.2.23107.88.70.173
        Nov 29, 2022 02:20:45.958862066 CET5156223192.168.2.23101.75.138.233
        Nov 29, 2022 02:20:45.958865881 CET5156223192.168.2.23171.148.45.46
        Nov 29, 2022 02:20:45.958880901 CET5156223192.168.2.23250.76.192.64
        Nov 29, 2022 02:20:45.958893061 CET5156223192.168.2.2312.86.204.11
        Nov 29, 2022 02:20:45.958945990 CET5156223192.168.2.23103.244.134.156
        Nov 29, 2022 02:20:45.958945990 CET5156223192.168.2.23197.0.21.59
        Nov 29, 2022 02:20:45.958950996 CET5156223192.168.2.23125.72.101.39
        Nov 29, 2022 02:20:45.958966017 CET5156223192.168.2.23196.230.225.168
        Nov 29, 2022 02:20:45.958966017 CET5156223192.168.2.2376.255.64.105
        Nov 29, 2022 02:20:45.958966017 CET5156223192.168.2.23121.151.238.119
        Nov 29, 2022 02:20:45.959009886 CET5156223192.168.2.23116.142.203.156
        Nov 29, 2022 02:20:45.959058046 CET5156223192.168.2.23198.138.187.17
        Nov 29, 2022 02:20:45.959110022 CET5156223192.168.2.235.1.132.176
        Nov 29, 2022 02:20:45.959115982 CET5156223192.168.2.2323.180.244.14
        Nov 29, 2022 02:20:45.959129095 CET5156223192.168.2.23166.199.132.180
        Nov 29, 2022 02:20:45.959180117 CET5156223192.168.2.23144.50.173.123
        Nov 29, 2022 02:20:45.959187031 CET5156223192.168.2.2319.130.192.90
        Nov 29, 2022 02:20:45.959213972 CET5156223192.168.2.23244.241.220.42
        Nov 29, 2022 02:20:45.959214926 CET5156223192.168.2.23246.186.161.135
        Nov 29, 2022 02:20:45.959213972 CET5156223192.168.2.23139.185.228.60
        Nov 29, 2022 02:20:45.959233046 CET5156223192.168.2.2334.39.221.213
        Nov 29, 2022 02:20:45.959259987 CET5156223192.168.2.2366.227.212.66
        Nov 29, 2022 02:20:45.959266901 CET5156223192.168.2.2383.26.249.43
        Nov 29, 2022 02:20:45.959280014 CET5156223192.168.2.23221.87.46.225
        Nov 29, 2022 02:20:45.959290981 CET5156223192.168.2.2389.90.131.27
        Nov 29, 2022 02:20:45.959333897 CET5156223192.168.2.23168.247.117.0
        Nov 29, 2022 02:20:45.959342003 CET5156223192.168.2.23255.189.17.197
        Nov 29, 2022 02:20:45.959348917 CET5156223192.168.2.2342.171.156.68
        Nov 29, 2022 02:20:45.959397078 CET5156223192.168.2.23240.219.28.208
        Nov 29, 2022 02:20:45.959397078 CET5156223192.168.2.2318.245.134.45
        Nov 29, 2022 02:20:45.959419012 CET5156223192.168.2.23180.207.132.36
        Nov 29, 2022 02:20:45.959462881 CET5156223192.168.2.23104.137.89.115
        Nov 29, 2022 02:20:45.959497929 CET5156223192.168.2.2398.158.54.233
        Nov 29, 2022 02:20:45.959506035 CET5156223192.168.2.2376.14.136.81
        Nov 29, 2022 02:20:45.959506035 CET5156223192.168.2.23223.243.197.1
        Nov 29, 2022 02:20:45.959547043 CET5156223192.168.2.23154.50.251.97
        Nov 29, 2022 02:20:45.959582090 CET5156223192.168.2.2384.129.94.134
        Nov 29, 2022 02:20:45.959582090 CET5156223192.168.2.23195.26.112.164
        Nov 29, 2022 02:20:45.959584951 CET5156223192.168.2.23169.219.156.134
        Nov 29, 2022 02:20:45.959604025 CET5156223192.168.2.23253.153.227.144
        Nov 29, 2022 02:20:45.959707022 CET5156223192.168.2.23125.55.31.168
        Nov 29, 2022 02:20:45.963628054 CET5156223192.168.2.2319.43.221.137
        Nov 29, 2022 02:20:45.963686943 CET5156223192.168.2.23176.164.218.53
        Nov 29, 2022 02:20:45.963686943 CET5156223192.168.2.23218.232.106.54
        Nov 29, 2022 02:20:45.963726044 CET5156223192.168.2.23130.21.203.76
        Nov 29, 2022 02:20:45.963735104 CET5156223192.168.2.2371.162.132.5
        Nov 29, 2022 02:20:45.964310884 CET5156223192.168.2.23183.114.245.27
        Nov 29, 2022 02:20:45.964330912 CET5156223192.168.2.23174.79.231.13
        Nov 29, 2022 02:20:45.964376926 CET5156223192.168.2.23246.230.124.56
        Nov 29, 2022 02:20:45.964430094 CET5156223192.168.2.2397.147.78.84
        Nov 29, 2022 02:20:45.964437962 CET5156223192.168.2.2342.57.114.18
        Nov 29, 2022 02:20:45.964437962 CET5156223192.168.2.2396.141.149.157
        Nov 29, 2022 02:20:45.964452982 CET5156223192.168.2.23212.207.252.25
        Nov 29, 2022 02:20:45.964457035 CET5156223192.168.2.2370.46.154.232
        Nov 29, 2022 02:20:45.964457035 CET5156223192.168.2.2385.112.68.175
        Nov 29, 2022 02:20:45.964463949 CET5156223192.168.2.2371.57.106.12
        Nov 29, 2022 02:20:45.964498997 CET5156223192.168.2.23164.29.91.134
        Nov 29, 2022 02:20:45.964510918 CET5156223192.168.2.2372.117.185.90
        Nov 29, 2022 02:20:45.964627028 CET5156223192.168.2.2331.15.192.74
        Nov 29, 2022 02:20:45.964678049 CET5156223192.168.2.2388.42.128.250
        Nov 29, 2022 02:20:45.964695930 CET5156223192.168.2.2336.233.58.224
        Nov 29, 2022 02:20:45.964840889 CET5156223192.168.2.23219.48.105.230
        Nov 29, 2022 02:20:45.964843988 CET5156223192.168.2.23242.222.173.127
        Nov 29, 2022 02:20:45.964844942 CET5156223192.168.2.23210.45.232.201
        Nov 29, 2022 02:20:45.964843988 CET5156223192.168.2.23213.182.180.17
        Nov 29, 2022 02:20:45.964844942 CET5156223192.168.2.23211.158.171.1
        Nov 29, 2022 02:20:45.964869976 CET5156223192.168.2.23148.255.96.96

        System Behavior

        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:/tmp/35JTigDQD0.elf
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:n/a
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:n/a
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:n/a
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:n/a
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:n/a
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
        Start time:02:20:44
        Start date:29/11/2022
        Path:/tmp/35JTigDQD0.elf
        Arguments:n/a
        File size:5773336 bytes
        MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9