Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
1crMLOq2cc

Overview

General Information

Sample Name:1crMLOq2cc
Original Sample Name:285602cd6b0ca73b1c857482cb25450f295c53b6cd12438b4dce1919092089ca
Analysis ID:843956
MD5:e8b43fa1b5d19995bb96bffe13af1e7c
SHA1:03c1e148221d04e340b660ccb3c446ffed43a47e
SHA256:285602cd6b0ca73b1c857482cb25450f295c53b6cd12438b4dce1919092089ca
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Spawns processes using file descriptor names (likely to hide the executable path or fileless malware)
Writes files located only in memory, i.e. not backed by a file on disk (anonymous files)
Writes ELF binaries located only in memory indicating fileless malware
Sample contains only a LOAD segment without any section mappings
Yara signature match
ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:843956
Start date and time:2023-04-10 12:21:48 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Sample file name:1crMLOq2cc
Original Sample Name:285602cd6b0ca73b1c857482cb25450f295c53b6cd12438b4dce1919092089ca
Detection:MAL
Classification:mal72.evad.lin@0/1@4/0

Warnings

  • VT rate limit hit for: http://crl.chambersign.org/chambersignroot.crlrl
  • VT rate limit hit for: http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crl
  • VT rate limit hit for: http://crl.securetrust.com/SGCA.crlJapan
  • VT rate limit hit for: http://crl.securetrust.com/SGCA.crlSecurity
  • VT rate limit hit for: http://crl.securetrust.com/STCA.crl/etc/ssl/certs/Secure_Global_CA.pem/etc/ssl/certs/Secure_Global_C
  • VT rate limit hit for: http://crl.securetrust.com/STCA.crly
  • VT rate limit hit for: http://ocsp.suscerte.gob.ve
  • VT rate limit hit for: http://ocsp.suscerte.gob.ve0A
  • VT rate limit hit for: http://www.certplus.com/CRL/class2.crl/etc/ssl/certs/Certplus_Root_CA_G1.pem/etc/ssl/certs/Certplus_
  • VT rate limit hit for: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl
  • VT rate limit hit for: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#
  • VT rate limit hit for: https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A
  • VT rate limit hit for: https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A1681129350-4757811-d815fd1fe85614b747
  • VT rate limit hit for: https://ocsp.quovadisoffshore.com/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem/etc/ssl/certs/QuoVadis_Roo

Runtime Messages

Command:/tmp/1crMLOq2cc
PID:9440
Exit Code:2
Exit Code Info:
Killed:False
Standard Output:

Standard Error:panic: doh: all query failed

goroutine 1 [running]:
main.getRouter()
/app/runtime.build/runtime.go:107 +0x1f3
main.init.0()
/app/runtime.build/runtime.go:129 +0xba

Process Tree

  • system is lnxubuntu1
  • 1crMLOq2cc (PID: 9440, Parent: 9373, MD5: e8b43fa1b5d19995bb96bffe13af1e7c) Arguments: /tmp/1crMLOq2cc
  • 3 (PID: 9440, Parent: 9373, MD5: unknown) Arguments: runtime_mem
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
9440.1.0000000000401000.0000000000d4b000.r-x.sdmpLinux_Cryptominer_Flystudio_0a370634unknownunknown
  • 0x4dc9c3:$a: 72 D7 19 66 41 0F EF E9 66 0F EF EF 66 0F 6F FD 66 41 0F FE FD 66 44 0F
9440.1.0000000000401000.0000000000d4b000.r-x.sdmpLinux_Trojan_Pornoasset_927f314funknownunknown
  • 0x69e5d8:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1crMLOq2ccReversingLabs: Detection: 21%
Source: 1crMLOq2ccVirustotal: Detection: 30%Perma Link
Source: unknownDNS traffic detected: queries for: dns.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53856
Source: unknownNetwork traffic detected: HTTP traffic on port 51698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51698
Source: unknownNetwork traffic detected: HTTP traffic on port 53856 -> 443
Source: global trafficHTTP traffic detected: GET /dns-query?name=gw.denonia.xyz&type=A HTTP/1.1Host: cloudflare-dns.comUser-Agent: GoKit XHTTP Client/0.17.0Accept: application/dns-jsonX-Http-Gokit-Requestid: 1681129350-4757811-d815fd1fe85614b74792628abdeb826078e39910Accept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /resolve?name=gw.denonia.xyz&type=A HTTP/1.1Host: dns.google.comUser-Agent: GoKit XHTTP Client/0.17.0Accept: application/dns-jsonX-Http-Gokit-Requestid: 1681129350-8971614-48aed712c4b42faca614aa0c1ca49bb578906888Accept-Encoding: gzip
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crlrl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crlrl
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crlhttp://crl.comodoca.com/SecureCertificateServices.
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl/etc/ssl/certs/COMODO_ECC_Certification_Auth
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl66666666
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crlizaccv1.crt0;1
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl/etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem/etc/ssl/certs/Global
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crlJapan
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crlSecurity
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl/etc/ssl/certs/Secure_Global_CA.pem/etc/ssl/certs/Secure_Global_C
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crly
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl/etc/ssl/certs/ca-certificates.crtsroot.crl/etc/ssl/certs/ca-ce
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://ocsp.accv.es
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0A
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: 1crMLOq2cc, UNKNOWN_[0xffff880078595000].6.drString found in binary or memory: http://upx.sf.net
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0;1
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0B1
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.accv.es00
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl/etc/ssl/certs/Certplus_Root_CA_G1.pem/etc/ssl/certs/Certplus_
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.chambersign.org
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.chambersign.org1
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A1681129350-4757811-d815fd1fe85614b747
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://dns.google.com/resolve?name=gw.denonia.xyz&type=A
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://dns.google.com/resolve?name=gw.denonia.xyz&type=A1681129350-8971614-48aed712c4b42faca614aa0c
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem/etc/ssl/certs/QuoVadis_Roo
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://repository.luxtrust.lu0
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: 1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpString found in binary or memory: https://www.catcert.net/verarrel05

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 9440.1.0000000000401000.0000000000d4b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Cryptominer_Flystudio_0a370634 Author: unknown
Source: 9440.1.0000000000401000.0000000000d4b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: LOAD without section mappingsProgram segment: 0x400000
Source: 9440.1.0000000000401000.0000000000d4b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Cryptominer_Flystudio_0a370634 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Flystudio, fingerprint = 6613ddd986e2bf4b306cd1a5c28952da8068f1bb533c53557e2e2add5c2dbd1f, id = 0a370634-51de-46bf-9397-c41ef08a7b83, last_modified = 2021-09-16
Source: 9440.1.0000000000401000.0000000000d4b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: classification engineClassification label: mal72.evad.lin@0/1@4/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $

Hooking and other Techniques for Hiding and Protection

barindex
Spawns processes using file descriptor names (likely to hide the executable path or fileless malware)
Source: /tmp/1crMLOq2cc (PID: 9440)Executable: /proc/self/fd/3 -> runtime_memJump to behavior
Writes files located only in memory, i.e. not backed by a file on disk (anonymous files)
Source: /tmp/1crMLOq2cc (PID: 9440)Anonymous file written: UNKNOWN:[0xffff880078595000]Jump to dropped file
Writes ELF binaries located only in memory indicating fileless malware
Source: /tmp/1crMLOq2cc (PID: 9440)ELF written to anonymous file: UNKNOWN:[0xffff880078595000]Jump to dropped file
Source: 1crMLOq2ccSubmission file: segment LOAD with 7.9927 entropy (max. 8.0)
Source: UNKNOWN_[0xffff880078595000].6.drDropped file: segment LOAD with 7.9869 entropy (max. 8.0)

Malware Analysis System Evasion

barindex
Spawns processes using file descriptor names (likely to hide the executable path or fileless malware)
Source: /tmp/1crMLOq2cc (PID: 9440)Executable: /proc/self/fd/3 -> runtime_memJump to behavior
Writes ELF binaries located only in memory indicating fileless malware
Source: /tmp/1crMLOq2cc (PID: 9440)ELF written to anonymous file: UNKNOWN:[0xffff880078595000]Jump to dropped file
Source: 3, 9440.1.00007f488eb9f000.00007f488ec16000.rw-.sdmpBinary or memory string: VMware Virtual Platform
Source: 3, 9440.1.00007f488eb9f000.00007f488ec16000.rw-.sdmpBinary or memory string: VMware, Inc.
Source: 3, 9440.1.00007f488ec36000.00007f488ec40000.rw-.sdmpBinary or memory string: VMware-42 35 51 4e a8 15 13 47-88 59 4d 3b a5 f6 85 b8
Source: 3, 9440.1.00007f488ec36000.00007f488ec40000.rw-.sdmpBinary or memory string: TVMware-42 35 51 4e a8 15 13 47-88 59 4d 3b a5 f6 85 b8
Source: 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpBinary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception3
Hide Artifacts		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
Ingress Tool Transfer		SIM Card SwapCarrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1crMLOq2cc21%ReversingLabsLinux.Trojan.Multiverze
1crMLOq2cc31%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
UNKNOWN:[0xffff880078595000]33%ReversingLabsLinux.Trojan.Generic

Domains

SourceDetectionScannerLabelLink
cloudflare-dns.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl00%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
http://crl.securetrust.com/SGCA.crl0%URL Reputationsafe
https://repository.luxtrust.lu00%URL Reputationsafe
http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
https://ocsp.quovadisoffshore.com0%URL Reputationsafe
http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
http://www.suscerte.gob.ve/dpc00%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
https://ocsp.quovadisoffshore.com00%URL Reputationsafe
http://cps.chambersign.org/cps/chambersignroot.html00%URL Reputationsafe
http://www.chambersign.org0%URL Reputationsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://crl.xrampsecurity.com/XGCA.crl0%URL Reputationsafe
http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
http://ocsp.accv.es00%URL Reputationsafe
https://www.catcert.net/verarrel0%URL Reputationsafe
http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
http://crl.chambersign.org/chambersignroot.crl00%URL Reputationsafe
http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
https://www.catcert.net/verarrel050%URL Reputationsafe
http://www.quovadis.bm00%URL Reputationsafe
http://www.trustdst.com/certificates/policy/ACES-index.html00%URL Reputationsafe
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0%URL Reputationsafe
http://www.accv.es000%URL Reputationsafe
http://www.pkioverheid.nl/policies/root-policy-G200%URL Reputationsafe
http://crl.xrampsecurity.com/XGCA.crl/etc/ssl/certs/ca-certificates.crtsroot.crl/etc/ssl/certs/ca-ce0%Avira URL Cloudsafe
http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crlrl0%Avira URL Cloudsafe
http://crl.chambersign.org/chambersroot.crl0%URL Reputationsafe
http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crl0%Avira URL Cloudsafe
http://www.certplus.com/CRL/class2.crl/etc/ssl/certs/Certplus_Root_CA_G1.pem/etc/ssl/certs/Certplus_0%Avira URL Cloudsafe
http://crl.chambersign.org/chambersignroot.crl0%Avira URL Cloudsafe
http://crl.securetrust.com/STCA.crl/etc/ssl/certs/Secure_Global_CA.pem/etc/ssl/certs/Secure_Global_C0%Avira URL Cloudsafe
http://crl.chambersign.org/chambersignroot.crl0%VirustotalBrowse
http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0%Avira URL Cloudsafe
http://crl.securetrust.com/SGCA.crlSecurity0%Avira URL Cloudsafe
http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#0%Avira URL Cloudsafe
http://ocsp.suscerte.gob.ve0%Avira URL Cloudsafe
http://crl.chambersign.org/chambersignroot.crlrl0%Avira URL Cloudsafe
https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A1681129350-4757811-d815fd1fe85614b7470%Avira URL Cloudsafe
http://crl.securetrust.com/SGCA.crlJapan0%Avira URL Cloudsafe
http://crl.securetrust.com/STCA.crly0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem/etc/ssl/certs/QuoVadis_Roo0%Avira URL Cloudsafe
http://ocsp.suscerte.gob.ve0A0%Avira URL Cloudsafe
https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
dns.google.com
8.8.8.8
truefalse
    		high
    cloudflare-dns.com
    		104.16.249.249
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://dns.google.com/resolve?name=gw.denonia.xyz&type=Afalse
      		high
      https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=Afalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.xrampsecurity.com/XGCA.crl/etc/ssl/certs/ca-certificates.crtsroot.crl/etc/ssl/certs/ca-ce1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.chambersign.org/chambersroot.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.securetrust.com/SGCA.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://repository.luxtrust.lu01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://cps.chambersign.org/cps/chambersroot.html01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crlrl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.chambersign.org13, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
        		high
        http://www.firmaprofesional.com/cps01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
          		high
          http://crl.chambersign.org/chambersignroot.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://crl.securetrust.com/STCA.crl/etc/ssl/certs/Secure_Global_CA.pem/etc/ssl/certs/Secure_Global_C1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://repository.swisssign.com/01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            		high
            http://crl.securetrust.com/SGCA.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://ocsp.quovadisoffshore.com3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.securetrust.com/STCA.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.certplus.com/CRL/class2.crl/etc/ssl/certs/Certplus_Root_CA_G1.pem/etc/ssl/certs/Certplus_1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://crl.chambersign.org/chambersroot.crlhttp://crl.chambersign.org/chambersignroot.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.suscerte.gob.ve/dpc01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.certplus.com/CRL/class2.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.quovadisglobal.com/cps01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
              		high
              http://crl.securetrust.com/SGCA.crlSecurity1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                		high
                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                  		high
                  http://ocsp.accv.es1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    		high
                    https://ocsp.quovadisoffshore.com01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://cps.chambersign.org/cps/chambersignroot.html01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.chambersign.org1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ocsp.suscerte.gob.ve3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://policy.camerfirma.com01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.xrampsecurity.com/XGCA.crl3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.accv.es/legislacion_c.htm0U1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                      		high
                      http://crl.chambersign.org/chambersignroot.crlrl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz&type=A1681129350-4757811-d815fd1fe85614b7471crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.certplus.com/CRL/class2.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ocsp.accv.es01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0B11crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                        		high
                        http://crl.securetrust.com/SGCA.crlJapan1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://upx.sf.net1crMLOq2cc, UNKNOWN_[0xffff880078595000].6.drfalse
                          		high
                          http://crl.securetrust.com/STCA.crly3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://acedicom.edicomgroup.com/doc01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                            		high
                            https://ocsp.quovadisoffshore.com/etc/ssl/certs/QuoVadis_Root_CA_1_G3.pem/etc/ssl/certs/QuoVadis_Roo1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.catcert.net/verarrel3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.securetrust.com/STCA.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              		high
                              http://crl.chambersign.org/chambersignroot.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.xrampsecurity.com/XGCA.crl01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.catcert.net/verarrel051crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.quovadis.bm01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ocsp.suscerte.gob.ve0A1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.trustdst.com/certificates/policy/ACES-index.html01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.accv.es001crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.pkioverheid.nl/policies/root-policy-G201crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.cert.fnmt.es/dpcs/01crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                                		high
                                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0;13, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                                  		high
                                  http://crl.chambersign.org/chambersroot.crl1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://dns.google.com/resolve?name=gw.denonia.xyz&type=A1681129350-8971614-48aed712c4b42faca614aa0c1crMLOq2cc, 9440.1.000000c000000000.000000c000800000.rw-.sdmp, 3, 9440.1.000000c000000000.000000c000800000.rw-.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.16.249.249
                                    		cloudflare-dns.comUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.16.249.249Up6vq6bevwGet hashmaliciousDenonia, XmrigBrowse
                                      bf88d5e7638944ca4a3e389c504f5254395caa0c2c7d69d9e90ffa6e575c912fGet hashmaliciousUnknownBrowse
                                        Honeygain_install.exeGet hashmaliciousUnknownBrowse
                                          bt11BZiI2OGet hashmaliciousUnknownBrowse
                                            LBxYFY4IcXGet hashmaliciousXmrigBrowse
                                              yytr.dllGet hashmaliciousUrsnifBrowse
                                                xls.xlsGet hashmaliciousHidden Macro 4.0 Gozi UrsnifBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  cloudflare-dns.comUp6vq6bevwGet hashmaliciousDenonia, XmrigBrowse
                                                  • 104.16.249.249
                                                  Up6vq6bevwGet hashmaliciousUnknownBrowse
                                                  • 104.16.248.249
                                                  Setup.exeGet hashmaliciousUnknownBrowse
                                                  • 104.18.42.171
                                                  https://paper.li/41i0IyhsDU2LHUTTqmDaP/story/ap-ausdredge-VBjAsEzkfIUV7miNpzaCiGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.18.42.171
                                                  http://first-dating.top/js/push/p.js?u=ra9pd06&o=911nfyq&t=66&v=2Get hashmaliciousUnknownBrowse
                                                  • 104.18.42.171
                                                  Fax_Doc.htmGet hashmaliciousHTMLPhisherBrowse
                                                  • 172.64.145.85
                                                  Ferdium-win-Portable-6.0.0-x64.exeGet hashmaliciousUnknownBrowse
                                                  • 172.64.145.85
                                                  Construction Drawingcouncil@cityofparramatta.nsw.gov.au--830962-df.htmGet hashmaliciousCaptcha Phish, PhisherBrowse
                                                  • 104.18.42.171
                                                  http://107.172.76.136/topp.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.18.42.171
                                                  Secured_angela.johnson_Audio_Message.htmGet hashmaliciousUnknownBrowse
                                                  • 104.18.42.171
                                                  ACH_WIRE_REMITTANCE.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.18.42.171
                                                  INV#48390122.docxGet hashmaliciousUnknownBrowse
                                                  • 104.18.42.171
                                                  GalacticFever.exeGet hashmaliciousUnknownBrowse
                                                  • 172.64.145.85
                                                  https://nhs-sharepoint.simplesite.com/Get hashmaliciousHTMLPhisherBrowse
                                                  • 172.64.145.85
                                                  unpacked_be726ddb02dbca823f6642d320da06bb4bf0f7dec9ed7fe870afd020423ac84bGet hashmaliciousDenonia, XmrigBrowse
                                                  • 104.16.248.249
                                                  unpacked_be726ddb02dbca823f6642d320da06bb4bf0f7dec9ed7fe870afd020423ac84bGet hashmaliciousDenonia, XmrigBrowse
                                                  • 104.16.248.249
                                                  bf88d5e7638944ca4a3e389c504f5254395caa0c2c7d69d9e90ffa6e575c912fGet hashmaliciousUnknownBrowse
                                                  • 104.16.249.249
                                                  https://theproduct-4you.com/us/sgaq/goketogum-onl1?bhu=spkfL6hnkZo2Z5xGxgK1Hn2fuSAE7PhhBjqZs4Get hashmaliciousGRQ ScamBrowse
                                                  • 172.64.145.85
                                                  5eLjpg0wJqGet hashmaliciousUnknownBrowse
                                                  • 104.16.248.249
                                                  #U043e#U0440#U043a#U043e#U0441#U0442#U0430#U043d#U0432#U0440#U0430#U0431#U043e#U0442#U0435.xlsxGet hashmaliciousUnknownBrowse
                                                  • 104.18.42.171
                                                  dns.google.comUp6vq6bevwGet hashmaliciousDenonia, XmrigBrowse
                                                  • 8.8.4.4
                                                  Up6vq6bevwGet hashmaliciousUnknownBrowse
                                                  • 8.8.8.8
                                                  unpacked_be726ddb02dbca823f6642d320da06bb4bf0f7dec9ed7fe870afd020423ac84bGet hashmaliciousDenonia, XmrigBrowse
                                                  • 8.8.4.4
                                                  unpacked_be726ddb02dbca823f6642d320da06bb4bf0f7dec9ed7fe870afd020423ac84bGet hashmaliciousDenonia, XmrigBrowse
                                                  • 8.8.8.8
                                                  bf88d5e7638944ca4a3e389c504f5254395caa0c2c7d69d9e90ffa6e575c912fGet hashmaliciousUnknownBrowse
                                                  • 8.8.8.8
                                                  5eLjpg0wJqGet hashmaliciousUnknownBrowse
                                                  • 8.8.8.8
                                                  tsetup-x64.exeGet hashmaliciousGhostRat, NitolBrowse
                                                  • 8.8.8.8
                                                  bt11BZiI2OGet hashmaliciousUnknownBrowse
                                                  • 8.8.8.8
                                                  LBxYFY4IcXGet hashmaliciousXmrigBrowse
                                                  • 8.8.8.8
                                                  LBxYFY4IcXGet hashmaliciousXmrigBrowse
                                                  • 8.8.8.8
                                                  H6yrPA6843.exeGet hashmaliciousMimikatzBrowse
                                                  • 8.8.8.8
                                                  aa2W5GrLPA.exeGet hashmaliciousUnknownBrowse
                                                  • 8.8.8.8

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUSUp6vq6bevwGet hashmaliciousDenonia, XmrigBrowse
                                                  • 104.16.249.249
                                                  Up6vq6bevwGet hashmaliciousUnknownBrowse
                                                  • 104.16.248.249
                                                  https://www.google.com/url?q=https://prrejarfhmkpdioxrnz5ov5vzisisdj4-ipfs-dweb-link.translate.goog/?_x_tr_hp%3Dbafybeicog4kngr4vdic5ektmsb%26_x_tr_sl%3Dauto%26_x_tr_tl%3Den%26_x_tr_hl%3Den-US%23%5B%5B-Email-%5D%5D&source=gmail&ust=1680745822795000&usg=AOvVaw32SsWHbRV9R5IjU2MoqYH-Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.18.11.207
                                                  https://h2eoljhgsuiepeft6npxbb2l6n4h6lvfpkpu-ipfs-dweb-link.translate.goog/?_x_tr_hp=bafybeie3evzsbe5factirc&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US#info@iqos.kzGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.18.10.207
                                                  https://www.searchunify.comGet hashmaliciousUnknownBrowse
                                                  • 172.67.38.66
                                                  qnNVFQgHRW.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                                                  • 104.20.67.143
                                                  https://searchunify.comGet hashmaliciousUnknownBrowse
                                                  • 104.16.126.175
                                                  aHESmFfQeP.exeGet hashmaliciousDCRatBrowse
                                                  • 162.159.128.233
                                                  Znci6Yzgb2.exeGet hashmaliciousDCRatBrowse
                                                  • 162.159.138.232
                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                  • 188.114.96.7
                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                  • 172.67.181.144
                                                  setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                  • 188.114.96.7
                                                  setup.exeGet hashmaliciousXmrigBrowse
                                                  • 104.20.67.143
                                                  http://trichdo.com/rd/c9649pGObj2403636JdOz13GhJ3664cWAu670Get hashmaliciousHTMLPhisherBrowse
                                                  • 104.21.15.235
                                                  https://vetdiagnoz.kz/templates/beez3/voice.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://click.cloud.mailingsenders.com/?qs=a9263aeb59cd757fd2a9eae9eace579cf792bd805bb8479b8abc78b4f0780f643937d933d7773b3f5cb51817436caa3e3509228b0a3203ddGet hashmaliciousUnknownBrowse
                                                  • 104.22.24.131
                                                  E23IfCRLLP.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
                                                  • 188.114.96.7
                                                  DPCW7sAg2W.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
                                                  • 188.114.96.7
                                                  U6nDz3As0K.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
                                                  • 188.114.96.7
                                                  8SWZejBvK8.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
                                                  • 172.67.181.144

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  UNKNOWN:[0xffff880078595000]

                                                  Download File
                                                  Process:/tmp/1crMLOq2cc
                                                  File Type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                                                  Category:dropped
                                                  Size (bytes):7200360
                                                  Entropy (8bit):7.986903265084156
                                                  Encrypted:false
                                                  SSDEEP:196608:VcA4n+nJhBEWUxzVekv9+rOLobXXVDpVIqDRh9:3JnJhB6xzR+iOXV9VIKh9
                                                  MD5:B7583507D47F4F111846912866FEF58E
                                                  SHA1:25FE1B4CA09690ACFFEDCAB5D1CA7EEABAF1AC47
                                                  SHA-256:BB617F3B653D742BF5F306B783CB2EC55525DE69CAC1D8B2C6FECFCCE6BD550F
                                                  SHA-512:C299A001C2900D8ACF9BA30947B7F2833A83D673CD8EA252B2EE81E412DDF1A2C46FE691FBD3EBA627FFF6860BAAB8C1C18F9BD9FE69AF3C971C13FF22279487
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 33%
                                                  Reputation:low
                                                  Preview:.ELF..............>.....p......@...................@.8...@.......................@.......@.......m.......m..................................................................Q.td.....................................................>J}UPX!.........`y..`y............... ..ELF......>....E.._..@/.E&8......>.......O@.@.....m.@...........@d......&....@...|...... ..m./.I..Z....lo.../T.~./..Be..hoQ.td.v.[.......$..X*o.*I..........I..a.......!v.g..@....._ ...N.j.!.I..;h.o^........l.|O`...._....r. .M......<&.|..\!...a.`[.........P........6..~._.v{..B...T.._.v...... ..ON ..d.........x.z...k...W..R..!...y......&.} L..|.S.m..0P...@.U....d_....".P.....S.Go.RaUIA4cgA....ywjo5xmASWS/cML4J3Z57TqcJhewFDxG.o../x-S6vJvYfuaqObK"NT6/v29V....g5eGEvm87tPGq7.I;f.v8H...H.l$.H......D$ \$(f......;.H.!.....I....o.tS..0..O.........L.d$.M.....H...Iw..d.$.....$.........L......^..1........eH....,.}.E1.1.L..1..@.m{or9......q.......o..H)..{.I..H..Hv?H!.H..k..f..|..8cpu.u.1........t$p..P.6....}.....

                                                  Static File Info

                                                  General

                                                  File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                                                  Entropy (8bit):7.992663991787683
                                                  TrID:
                                                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                  File name:1crMLOq2cc
                                                  File size:7769888
                                                  MD5:e8b43fa1b5d19995bb96bffe13af1e7c
                                                  SHA1:03c1e148221d04e340b660ccb3c446ffed43a47e
                                                  SHA256:285602cd6b0ca73b1c857482cb25450f295c53b6cd12438b4dce1919092089ca
                                                  SHA512:f4423441a37aa10fcdd366c2f7bc21edfa2e29720a65250084d4eb7cd91902e618288cc8a5b70e1551094faea349660f106c4df54e8196c94afd9d63a562e12c
                                                  SSDEEP:196608:8K+86GviywF7fJJHtdx4kPH+1wDulTD1UWs0p632MYi:8K76kHIfJJNdh+uED1Uf0E2MYi
                                                  TLSH:437633EB719E2B6DC7245D31D8FC272A63F050D4B5A7AB032165322EAC4835F9D8BE05
                                                  File Content Preview:.ELF..............>.....(.......@...................@.8...@.......................@.......@.......v.......v.....................................................................Q.td.....................................................>J}UPX!...............

                                                  Static ELF Info

                                                  ELF header

                                                  Class:
                                                  Data:
                                                  Version:
                                                  Machine:
                                                  Version Number:
                                                  Type:
                                                  OS/ABI:
                                                  ABI Version:
                                                  Entry Point Address:
                                                  Flags:
                                                  ELF Header Size:
                                                  Program Header Offset:
                                                  Program Header Size:
                                                  Number of Program Headers:
                                                  Section Header Offset:
                                                  Section Header Size:
                                                  Number of Section Headers:
                                                  Header String Table Index:

                                                  Program Segments

                                                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                  LOAD0x00x4000000x4000000x768ea00x768ea07.99270x5R E0x1000
                                                  LOAD0x00xb690000xb690000x00xec0a00.00000x6RW 0x1000
                                                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 10, 2023 12:22:32.094163895 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.094254971 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.094330072 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.095376968 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.095412970 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.097610950 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.097664118 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.097712994 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.098474026 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.098503113 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.157150030 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.157305956 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.158679962 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.158719063 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.159704924 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.159725904 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.162223101 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.168169975 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.168279886 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.174263000 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.174300909 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.174726009 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.174894094 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.174982071 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.175000906 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.176796913 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.194741964 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.194879055 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.270061016 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.270098925 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.270392895 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.270464897 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.270483971 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.270551920 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.271228075 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.271295071 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.271573067 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.271775961 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.271795988 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.272010088 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.272275925 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.272294998 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.273261070 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.273279905 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.293945074 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.294126034 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.294497967 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.294883966 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.294934034 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.294961929 CEST53856443192.168.2.20104.16.249.249
                                                  Apr 10, 2023 12:22:32.294980049 CEST44353856104.16.249.249192.168.2.20
                                                  Apr 10, 2023 12:22:32.301825047 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.302140951 CEST443516988.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.302357912 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.303457022 CEST51698443192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.303491116 CEST443516988.8.8.8192.168.2.20

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 10, 2023 12:22:32.054307938 CEST4962153192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.055345058 CEST6079953192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.056000948 CEST3394153192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.056678057 CEST3960653192.168.2.208.8.8.8
                                                  Apr 10, 2023 12:22:32.089484930 CEST53339418.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.089704990 CEST53607998.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.091634989 CEST53396068.8.8.8192.168.2.20
                                                  Apr 10, 2023 12:22:32.096434116 CEST53496218.8.8.8192.168.2.20

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Apr 10, 2023 12:22:32.054307938 CEST192.168.2.208.8.8.80xa1c6Standard query (0)dns.google.com28IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.055345058 CEST192.168.2.208.8.8.80xb9abStandard query (0)cloudflare-dns.com28IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.056000948 CEST192.168.2.208.8.8.80x1a0dStandard query (0)dns.google.comA (IP address)IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.056678057 CEST192.168.2.208.8.8.80xf2beStandard query (0)cloudflare-dns.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Apr 10, 2023 12:22:32.089484930 CEST8.8.8.8192.168.2.200x1a0dNo error (0)dns.google.com8.8.8.8A (IP address)IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.089484930 CEST8.8.8.8192.168.2.200x1a0dNo error (0)dns.google.com8.8.4.4A (IP address)IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.089704990 CEST8.8.8.8192.168.2.200xb9abNo error (0)cloudflare-dns.com28IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.089704990 CEST8.8.8.8192.168.2.200xb9abNo error (0)cloudflare-dns.com28IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.091634989 CEST8.8.8.8192.168.2.200xf2beNo error (0)cloudflare-dns.com104.16.249.249A (IP address)IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.091634989 CEST8.8.8.8192.168.2.200xf2beNo error (0)cloudflare-dns.com104.16.248.249A (IP address)IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.096434116 CEST8.8.8.8192.168.2.200xa1c6No error (0)dns.google.com28IN (0x0001)false
                                                  Apr 10, 2023 12:22:32.096434116 CEST8.8.8.8192.168.2.200xa1c6No error (0)dns.google.com28IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • cloudflare-dns.com
                                                  • dns.google.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  0192.168.2.2053856104.16.249.249443
                                                  TimestampkBytes transferredDirectionData
                                                  2023-04-10 10:22:32 UTC0OUTGET /dns-query?name=gw.denonia.xyz&type=A HTTP/1.1
                                                  Host: cloudflare-dns.com
                                                  User-Agent: GoKit XHTTP Client/0.17.0
                                                  Accept: application/dns-json
                                                  X-Http-Gokit-Requestid: 1681129350-4757811-d815fd1fe85614b74792628abdeb826078e39910
                                                  Accept-Encoding: gzip
                                                  2023-04-10 10:22:32 UTC0INHTTP/1.1 200 OK
                                                  Server: cloudflare
                                                  Date: Mon, 10 Apr 2023 10:22:32 GMT
                                                  Content-Type: application/dns-json
                                                  Connection: close
                                                  Access-Control-Allow-Origin: *
                                                  Content-Length: 251
                                                  CF-RAY: 7b5a44ebbd063803-FRA
                                                  2023-04-10 10:22:32 UTC0INData Raw: 7b 22 53 74 61 74 75 73 22 3a 33 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 67 77 2e 64 65 6e 6f 6e 69 61 2e 78 79 7a 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 75 74 68 6f 72 69 74 79 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 78 79 7a 22 2c 22 74 79 70 65 22 3a 36 2c 22 54 54 4c 22 3a 33 36 30 30 2c 22 64 61 74 61 22 3a 22 6e 73 30 2e 63 65 6e 74 72 61 6c 6e 69 63 2e 6e 65 74 2e 20 68 6f 73 74 6d 61 73 74 65 72 2e 63 65 6e 74 72 61 6c 6e 69 63 2e 6e 65 74 2e 20 33 30 30 30 37 32 34 38 31 30 20 39 30 30 20 31 38 30 30 20 36 30 34 38 30 30 30 20 33 36 30 30 22 7d 5d 7d
                                                  Data Ascii: {"Status":3,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"gw.denonia.xyz","type":1}],"Authority":[{"name":"xyz","type":6,"TTL":3600,"data":"ns0.centralnic.net. hostmaster.centralnic.net. 3000724810 900 1800 6048000 3600"}]}


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  1192.168.2.20516988.8.8.8443
                                                  TimestampkBytes transferredDirectionData
                                                  2023-04-10 10:22:32 UTC0OUTGET /resolve?name=gw.denonia.xyz&type=A HTTP/1.1
                                                  Host: dns.google.com
                                                  User-Agent: GoKit XHTTP Client/0.17.0
                                                  Accept: application/dns-json
                                                  X-Http-Gokit-Requestid: 1681129350-8971614-48aed712c4b42faca614aa0c1ca49bb578906888
                                                  Accept-Encoding: gzip
                                                  2023-04-10 10:22:32 UTC0INHTTP/1.1 200 OK
                                                  X-Content-Type-Options: nosniff
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Date: Mon, 10 Apr 2023 10:22:32 GMT
                                                  Expires: Mon, 10 Apr 2023 10:22:32 GMT
                                                  Cache-Control: private, max-age=1800
                                                  Content-Type: application/json; charset=UTF-8
                                                  Server: HTTP server (unknown)
                                                  X-XSS-Protection: 0
                                                  X-Frame-Options: SAMEORIGIN
                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                  Accept-Ranges: none
                                                  Vary: Accept-Encoding
                                                  Connection: close
                                                  Transfer-Encoding: chunked
                                                  2023-04-10 10:22:32 UTC1INData Raw: 31 32 62 0d 0a 7b 22 53 74 61 74 75 73 22 3a 33 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 67 77 2e 64 65 6e 6f 6e 69 61 2e 78 79 7a 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 75 74 68 6f 72 69 74 79 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 78 79 7a 2e 22 2c 22 74 79 70 65 22 3a 36 2c 22 54 54 4c 22 3a 31 38 30 30 2c 22 64 61 74 61 22 3a 22 6e 73 30 2e 63 65 6e 74 72 61 6c 6e 69 63 2e 6e 65 74 2e 20 68 6f 73 74 6d 61 73 74 65 72 2e 63 65 6e 74 72 61 6c 6e 69 63 2e 6e 65 74 2e 20 33 30 30 30 37 32 34 38 31 30 20 39 30 30 20 31 38 30 30 20 36 30 34 38 30 30 30 20 33 36 30 30 22
                                                  Data Ascii: 12b{"Status":3,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"gw.denonia.xyz.","type":1}],"Authority":[{"name":"xyz.","type":6,"TTL":1800,"data":"ns0.centralnic.net. hostmaster.centralnic.net. 3000724810 900 1800 6048000 3600"
                                                  2023-04-10 10:22:32 UTC1INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  System Behavior

                                                  General

                                                  Start time:12:22:30
                                                  Start date:10/04/2023
                                                  Path:/tmp/1crMLOq2cc
                                                  Arguments:/tmp/1crMLOq2cc
                                                  File size:7769888 bytes
                                                  MD5 hash:e8b43fa1b5d19995bb96bffe13af1e7c

                                                  Chronological Activities


                                                  General

                                                  Start time:12:22:30
                                                  Start date:10/04/2023
                                                  Path:/proc/self/fd/3
                                                  Arguments:runtime_mem
                                                  File size:0 bytes
                                                  MD5 hash:unknown

                                                  Chronological Activities