Edit tour

Linux Analysis Report
ijxeqyXNc4

Overview

General Information

Sample name:	ijxeqyXNc4 renamed because original name is a hash value
Original sample name:	15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
Analysis ID:	3760041
MD5:	8138f1af1dc51cde924aa2360f12d650
SHA1:	74b1da190d670fa4c207afb0fbca4d7df701538a
SHA256:	15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
Infos:

Detection

Dinodas RAT

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic

Yara detected Dinodas RAT

Executes itself again with its parent PID as an argument (indicative of hampering debugging)

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Executes the "getconf" command for querying system configuration variables

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Creates hidden files and/or directories

Creates hidden files without content (potentially used as a mutex)

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "ifconfig" command used to gather network information

Reads system version information

Reads the 'hosts' file potentially containing internal network hosts

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Writes INI config files to disk

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:
Analysis ID:	3760041
Start date and time:	2024-04-10 11:12:52 +02:00
Joe Sandbox product:	Cloud
Overall analysis duration:	0h 9m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	Linux - Ubuntu 22 - sleep detection and extension with SSL inspection.jbs
Analysis system description:	Ubuntu Linux 22.04 x64 (Kernel 5.15.0-94, Firefox 124.0.2, Atril Document Viewer 1.26.0, LibreOffice 7.3.7.2, OpenJDK 17.0.10)
Analysis Mode:	default
Sample name:	ijxeqyXNc4 renamed because original name is a hash value
Original Sample Name:	15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
Detection:	MAL
Classification:	mal76.troj.evad.lin@0/3@1/0
Cookbook Comments:	Analysis time extended to 240s due to sleep detection in submitted sample

Runtime Messages

Command:	/tmp/ijxeqyXNc4
PID:	5431
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu22

ijxeqyXNc4 (PID: 5431, Parent: 5377, MD5: 8138f1af1dc51cde924aa2360f12d650) Arguments: /tmp/ijxeqyXNc4

ijxeqyXNc4 New Fork (PID: 5432, Parent: 5431)

ijxeqyXNc4 New Fork (PID: 5433, Parent: 5432)

sh (PID: 5433, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "cat /proc/version"

sh New Fork (PID: 5434, Parent: 5433)

cat (PID: 5434, Parent: 5433, MD5: bad083817ee6cf28643668a67fce3f4e) Arguments: cat /proc/version

ijxeqyXNc4 New Fork (PID: 5435, Parent: 5432)

sh (PID: 5435, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "cat /etc/lsb-release"

sh New Fork (PID: 5436, Parent: 5435)

cat (PID: 5436, Parent: 5435, MD5: bad083817ee6cf28643668a67fce3f4e) Arguments: cat /etc/lsb-release

ijxeqyXNc4 New Fork (PID: 5437, Parent: 5432)

sh (PID: 5437, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/"

sh New Fork (PID: 5438, Parent: 5437)

ln (PID: 5438, Parent: 5437, MD5: 85642a6e6b43fa5b4177f69df37f3ba3) Arguments: ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/

ijxeqyXNc4 New Fork (PID: 5439, Parent: 5432)

sh (PID: 5439, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "chmod 777 /etc/rc.local"

sh New Fork (PID: 5440, Parent: 5439)

chmod (PID: 5440, Parent: 5439, MD5: a3c9079943bd39eee11caecec425e36e) Arguments: chmod 777 /etc/rc.local

ijxeqyXNc4 New Fork (PID: 5441, Parent: 5432)

sh (PID: 5441, Parent: 5432, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "/tmp/ijxeqyXNc4 d 5432"

sh New Fork (PID: 5442, Parent: 5441)

ijxeqyXNc4 (PID: 5442, Parent: 5441, MD5: 8138f1af1dc51cde924aa2360f12d650) Arguments: /tmp/ijxeqyXNc4 d 5432

ijxeqyXNc4 New Fork (PID: 5443, Parent: 5442)

sh (PID: 5443, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c ifconfig

sh New Fork (PID: 5444, Parent: 5443)

ifconfig (PID: 5444, Parent: 5443, MD5: 53aa4bb01899b4d5020230af1a3d5e8b) Arguments: ifconfig

ijxeqyXNc4 New Fork (PID: 5445, Parent: 5442)

sh (PID: 5445, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c dmidecode

sh New Fork (PID: 5446, Parent: 5445)

dmidecode (PID: 5446, Parent: 5445, MD5: f030dde9ad21d7fa298fae2a2286a1c7) Arguments: dmidecode

ijxeqyXNc4 New Fork (PID: 5447, Parent: 5442)

sh (PID: 5447, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "cat /etc/issue"

sh New Fork (PID: 5448, Parent: 5447)

cat (PID: 5448, Parent: 5447, MD5: bad083817ee6cf28643668a67fce3f4e) Arguments: cat /etc/issue

ijxeqyXNc4 New Fork (PID: 5449, Parent: 5442)

sh (PID: 5449, Parent: 5442, MD5: 7409ae3f7b10e059ee70d9079c94b097) Arguments: sh -c "getconf LONG_BIT"

sh New Fork (PID: 5450, Parent: 5449)

getconf (PID: 5450, Parent: 5449, MD5: 419753c9d341f1e7aa8451dea9441fd9) Arguments: getconf LONG_BIT

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ijxeqyXNc4	JoeSecurity_DinodasRAT_1	Yara detected Dinodas RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5431.1.0000000000400000.000000000043f000.r-x.sdmp	JoeSecurity_DinodasRAT_1	Yara detected Dinodas RAT	Joe Security

Snort Signatures

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:16:51.500898
SID:	2051839
Source Port:	41687
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:17:22.705256
SID:	2051868
Source Port:	45210
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:15:49.341725
SID:	2051868
Source Port:	45342
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:17:22.705256
SID:	2051839
Source Port:	45210
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:17:53.785050
SID:	2051839
Source Port:	38251
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:15:18.245782
SID:	2051839
Source Port:	38278
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Dinodas RAT CnC Domain in DNS Lookup (update .centos-yum .com) - Source IP: 192.168.2.126 - Destination IP: 1.1.1.1

Timestamp:	04/10/24-11:14:27.079270
SID:	2051867
Source Port:	43079
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN DNS Query to Earth Krahang APT Domain (update .centos-yum .com) - Source IP: 192.168.2.126 - Destination IP: 1.1.1.1

Timestamp:	04/10/24-11:14:27.079270
SID:	2051846
Source Port:	43079
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:15:49.341725
SID:	2051839
Source Port:	45342
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:15:18.245782
SID:	2051868
Source Port:	38278
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:14:47.166945
SID:	2051868
Source Port:	55268
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:16:20.415578
SID:	2051839
Source Port:	50490
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:18:25.105451
SID:	2051839
Source Port:	34962
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:17:53.785050
SID:	2051868
Source Port:	38251
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN DinodasRAT Related CnC Domain in DNS Lookup (update .centos-yum .com) - Source IP: 192.168.2.126 - Destination IP: 1.1.1.1

Timestamp:	04/10/24-11:14:27.079270
SID:	2051837
Source Port:	43079
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Suspected DinodasRAT Related Activity (UDP) - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:14:47.166945
SID:	2051839
Source Port:	55268
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:18:25.105451
SID:	2051868
Source Port:	34962
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:16:20.415578
SID:	2051868
Source Port:	50490
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP - Source IP: 192.168.2.126 - Destination IP: 91.195.240.94

Timestamp:	04/10/24-11:16:51.500898
SID:	2051868
Source Port:	41687
Destination Port:	443
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2051867 ET TROJAN Dinodas RAT CnC Domain in DNS Lookup (update .centos-yum .com) 192.168.2.126:43079 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051846 ET TROJAN DNS Query to Earth Krahang APT Domain (update .centos-yum .com) 192.168.2.126:43079 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051837 ET TROJAN DinodasRAT Related CnC Domain in DNS Lookup (update .centos-yum .com) 192.168.2.126:43079 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:55268 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:55268 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:38278 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:38278 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:45342 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:45342 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:50490 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:50490 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:41687 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:41687 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:45210 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:45210 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:38251 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:38251 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051868 ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP 192.168.2.126:34962 -> 91.195.240.94:443
Source: Traffic	Snort IDS: 2051839 ET TROJAN Suspected DinodasRAT Related Activity (UDP) 192.168.2.126:34962 -> 91.195.240.94:443

Source: /tmp/ijxeqyXNc4 (PID: 5442)

Reads hosts file: /etc/hosts

Jump to behavior

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: update.centos-yum.com

Source: Initial sample	Potential command found: cat /etc/redhat-release
Source: Initial sample	Potential command found: cat /etc/issue
Source: Initial sample	Potential command found: cat /etc/redhat-releasecat /etc/issue\n\lifconfigHWaddrip alink/ether dmidecodeLinux_%s_%s_%u_V10imei%s%s%s210/0001
Source: Initial sample	Potential command found: cat /proc/version
Source: Initial sample	Potential command found: cat /etc/lsb-release

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal76.troj.evad.lin@0/3@1/0

Persistence and Installation Behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/ijxeqyXNc4 (PID: 5432)

File: /etc/rc.local

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /usr/bin/chmod (PID: 5440)

File: /etc/rc.local (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /tmp/ijxeqyXNc4 (PID: 5431)	File: /tmp/.ijxeqyXNc4.mu	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5431)	Directory: /tmp/.ijxeqyXNc4.mu	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5442)	File: /tmp/.ijxeqyXNc4d.mu	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5442)	Directory: /tmp/.ijxeqyXNc4d.mu	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5442)	Directory: /tmp/.netc.ini	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5442)	File: /tmp/.netc.ini	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5442)	Directory: /tmp/.netc.ini	Jump to behavior

Source: /tmp/ijxeqyXNc4 (PID: 5431)	Empty hidden file: /tmp/.ijxeqyXNc4.mu			Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5442)	Empty hidden file: /tmp/.ijxeqyXNc4d.mu			Jump to behavior

Source: /tmp/ijxeqyXNc4 (PID: 5433)	Shell command executed: sh -c "cat /proc/version"	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5435)	Shell command executed: sh -c "cat /etc/lsb-release"	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5437)	Shell command executed: sh -c "ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/"	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5439)	Shell command executed: sh -c "chmod 777 /etc/rc.local"	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5441)	Shell command executed: sh -c "/tmp/ijxeqyXNc4 d 5432"	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5443)	Shell command executed: sh -c ifconfig	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5445)	Shell command executed: sh -c dmidecode	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5447)	Shell command executed: sh -c "cat /etc/issue"	Jump to behavior
Source: /tmp/ijxeqyXNc4 (PID: 5449)	Shell command executed: sh -c "getconf LONG_BIT"	Jump to behavior

Source: /bin/sh (PID: 5440)

Chmod executable: /usr/bin/chmod -> chmod 777 /etc/rc.local

Jump to behavior

Source: /usr/bin/cat (PID: 5434)	Reads version info: /proc/version			Jump to behavior
Source: /usr/bin/cat (PID: 5448)	Reads version info: /etc/issue			Jump to behavior

Source: /usr/bin/chmod (PID: 5440)

File: /etc/rc.local (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /bin/sh (PID: 5440)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 /etc/rc.local

Jump to behavior

Source: /tmp/ijxeqyXNc4 (PID: 5442)

INI config file created: /tmp/.netc.ini

Jump to dropped file

Source: /tmp/ijxeqyXNc4 (PID: 5432)

Writes shell script file to disk with an unusual file extension: /etc/rc.local

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Source: /bin/sh (PID: 5446)

Dmidecode executable: /usr/sbin/dmidecode dmidecode

Jump to behavior

Source: ELF symbol in initial sample	Symbol name: sleep
Source: ELF symbol in initial sample	Symbol name: usleep

Source: /usr/sbin/ifconfig (PID: 5444)

Queries kernel information via 'uname':

Jump to behavior

Anti Debugging

Executes itself again with its parent PID as an argument (indicative of hampering debugging)

Source: /tmp/ijxeqyXNc4 (PID: 5441)

Process with PPID: /bin/sh -> sh -c "/tmp/ijxeqyXNc4 d 5432"

Jump to behavior

Language, Device and Operating System Detection

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Source: /bin/sh (PID: 5446)

Dmidecode executable: /usr/sbin/dmidecode dmidecode

Jump to behavior

Executes the "getconf" command for querying system configuration variables

Source: /bin/sh (PID: 5450)

Getconf executable: /usr/bin/getconf getconf LONG_BIT

Jump to behavior

Stealing of Sensitive Information

Yara detected Dinodas RAT

Source: Yara match	File source: ijxeqyXNc4, type: SAMPLE
Source: Yara match	File source: 5431.1.0000000000400000.000000000043f000.r-x.sdmp, type: MEMORY

Source: /bin/sh (PID: 5444)

Ifconfig executable: /usr/sbin/ifconfig -> ifconfig

Jump to behavior

Remote Access Functionality

Yara detected Dinodas RAT

Source: Yara match	File source: ijxeqyXNc4, type: SAMPLE
Source: Yara match	File source: 5431.1.0000000000400000.000000000043f000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	Path Interception	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hide Artifacts	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 File and Directory Permissions Modification	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Virtualization/Sandbox Evasion	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
update.centos-yum.com	91.195.240.94	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.195.240.94	update.centos-yum.com	Germany		47846	SEDO-ASDE	true

Created / dropped Files

/etc/rc.local

Download File

Process:	/tmp/ijxeqyXNc4
File Type:	Bourne-Again shell script text executable
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.4004323025356245
Encrypted:	false
SSDEEP:	3:TKH/KoKyx9O6Fn:FY9p
MD5:	F93C16FC0B91F1E059FC86109DED4B42
SHA1:	25C1C897D8037F4087BDBBEB163CC7F951995C41
SHA-256:	B64D2598EB0F74ABA0AEE969ED12C90D784ADD3BD94F723F39C3BD3A41E20243
SHA-512:	E7CBEC597A50C1448FC7B905D8119B7EACFF1F5561E884562BB4B98A0CDD3AD502C77E643C0E3512F499E0F1C8680C961CFFC3818EA43DF0751F9D8B743B1859
Malicious:	true
Reputation:	low
Preview:	#!/bin/bash./tmp/ijxeqyXNc4.exit 0.

/tmp/.netc.ini

Download File

Process:	/tmp/ijxeqyXNc4
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.488129025821929
Encrypted:	false
SSDEEP:	3:EU8VmQEcEXBQB+4jk0MWeBy:EU8sQEdBQBVjn
MD5:	7FC78A4C6CF06AA6E4504254B03E42A7
SHA1:	891318B27DD7BC531B4DEA902782E4F6742FCB18
SHA-256:	CF5C6649DC55BB716EA8D4AE39BD416BC2056A98C9BEA4171873B7219C6C4F27
SHA-512:	85FFE85D362F23C6513C53ACDC09F79A13DDAE8FF631FD410E0A798CF8B14CB3538D9EEC795777DA77E1677214CA418B3A48C2AFAC13C1B3BEA28BD2CF421300
Malicious:	false
Reputation:	low
Preview:	[para]..imei=Linux_20240410_7037b0dd3a251cbd01e8d090b1103c83_13068_V10..

/usr/lib/systemd/system/rc.local.service

Download File

Process:	/tmp/ijxeqyXNc4
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	883
Entropy (8bit):	4.7806761267639715
Encrypted:	false
SSDEEP:	12:zgw5OZRZA2+KugzJw5OZRZA2+Ku2w5OZRZA2+KutGHWrnw5OZRZA2+KutCHWry:vUZRO2xeUZRO2uUZRO272rwUZRO2z2ry
MD5:	DF8C8DD87FEC8005B9461DCFF9D5D6ED
SHA1:	C5509FDA35704C159120BD58EDFF98819665CA88
SHA-256:	C431F6EE6BFD3838BE81826AF0D3D8314252311B02F88DF239AA13060B9CE21B
SHA-512:	4BE2327B55708676C6260882BFE728E1B2D3995E40CE1AE4666D19DC286429BBC0D4EB9F2D5761E4CDABEB5DB43A4C87223CB2255CBF87E046FA504F98CD17B8
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=/etc/rc.local Compatibility.ConditionFileIsExecutable=/etc/rc.local.After=network.target..[Service].Type=forking.ExecStart=/etc/rc.local start.TimeoutSec=0.RemainAfterExit=yes.[Unit].Description=/etc/rc.local Compatibility.ConditionFileIsExecutable=/etc/rc.local.After=network.target..[Service].Type=forking.ExecStart=/etc/rc.local start.TimeoutSec=0.RemainAfterExit=no.[Unit].Description=/etc/rc.local Compatibility.ConditionFileIsExecutable=/etc/rc.local.After=network.target..[Service].Type=forking.ExecStart=/etc/rc.local start.TimeoutSec=0.RemainAfterExit=no...[Install]..WantedBy=multi-user.target..[Unit].Description=/etc/rc.local Compatibility.ConditionFileIsExecutable=/etc/rc.local.After=network.target..[Service].Type=forking.ExecStart=/etc/rc.local start.TimeoutSec=0.RemainAfterExit=no...[Install]..Alias=rc-local.service..WantedBy=multi-user.target..

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, stripped
Entropy (8bit):	6.196920594272085
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	ijxeqyXNc4
File size:	261'344 bytes
MD5:	8138f1af1dc51cde924aa2360f12d650
SHA1:	74b1da190d670fa4c207afb0fbca4d7df701538a
SHA256:	15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45
SHA512:	c8d940fedc22b8b032bb4a1dd3815c799b710bfb31e3af1f8eb76ef63e7de0c3394b3ba8d7754975bbb8bcd3dd9408665e8b7e75fa49fea1f2b3dee884792025
SSDEEP:	6144:pP+dv39axq0rT+DnuokS63QeYqn3b6gu+vG/US8NvVkN2Jy8zcvd:k39aVSq7JYq3GgbeT8NvVru
TLSH:	8844E647F1BA44BDC44EC0B001DE2639D5E1B41889967EAF2684FAF117F2B90AF94B47
File Content Preview:	.ELF..............>.......@.....@...................@.8...@.............@.......@.@.....@.@...............................................@.......@...............................................@.......@.....I.......I......... .............P.......P.c....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x402eb0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	8
Section Header Offset:	259552
Section Header Size:	64
Number of Section Headers:	28
Header String Table Index:	27

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x400200	0x200	0x1c	0x0	0x2	A	0	0	1
.note.ABI-tag	NOTE	0x40021c	0x21c	0x20	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x400240	0x240	0x5c	0x0	0x2	A	4	0	8
.dynsym	DYNSYM	0x4002a0	0x2a0	0xd98	0x18	0x2	A	5	1	8
.dynstr	STRTAB	0x401038	0x1038	0x7ab	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0x4017e4	0x17e4	0x122	0x2	0x2	A	4	0	2
.gnu.version_r	VERNEED	0x401908	0x1908	0x90	0x0	0x2	A	5	4	8
.rela.dyn	RELA	0x401998	0x1998	0x78	0x18	0x2	A	4	0	8
.rela.plt	RELA	0x401a10	0x1a10	0xc48	0x18	0x2	A	4	11	8
.init	PROGBITS	0x402658	0x2658	0x18	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x402670	0x2670	0x840	0x10	0x6	AX	0	0	4
.text	PROGBITS	0x402eb0	0x2eb0	0x2f028	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x431ed8	0x31ed8	0xe	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x431f00	0x31f00	0x1292	0x0	0x2	A	0	0	32
.eh_frame_hdr	PROGBITS	0x433194	0x33194	0x148c	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x434620	0x34620	0x5adc	0x0	0x2	A	0	0	8
.gcc_except_table	PROGBITS	0x43a0fc	0x3a0fc	0x404d	0x0	0x2	A	0	0	4
.ctors	PROGBITS	0x63e150	0x3e150	0x1a0	0x0	0x3	WA	0	0	8
.dtors	PROGBITS	0x63e2f0	0x3e2f0	0x10	0x0	0x3	WA	0	0	8
.jcr	PROGBITS	0x63e300	0x3e300	0x8	0x0	0x3	WA	0	0	8
.dynamic	DYNAMIC	0x63e308	0x3e308	0x1f0	0x10	0x3	WA	5	0	8
.got	PROGBITS	0x63e4f8	0x3e4f8	0x8	0x8	0x3	WA	0	0	8
.got.plt	PROGBITS	0x63e500	0x3e500	0x430	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x63e940	0x3e940	0xe4	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x63ea40	0x3ea24	0x430	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0x3ea24	0xac8	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x3f4ec	0xed	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x400040	0x400040	0x1c0	0x1c0	1.8216	0x5	R E	0x8
INTERP	0x200	0x400200	0x400200	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x400000	0x400000	0x3e149	0x3e149	6.2054	0x5	R E	0x200000		.interp .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table
LOAD	0x3e150	0x63e150	0x63e150	0x8d4	0xd20	2.5157	0x6	RW	0x200000		.ctors .dtors .jcr .dynamic .got .got.plt .data .bss
DYNAMIC	0x3e308	0x63e308	0x63e308	0x1f0	0x1f0	1.5404	0x6	RW	0x8		.dynamic
NOTE	0x21c	0x40021c	0x40021c	0x20	0x20	1.7487	0x4	R	0x4		.note.ABI-tag
GNU_EH_FRAME	0x33194	0x433194	0x433194	0x148c	0x148c	5.2343	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Dynamic Tags

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	librt.so.1	0x1
DT_NEEDED	sharedlib	libpthread.so.0	0x1
DT_NEEDED	sharedlib	libz.so.1	0x1
DT_NEEDED	sharedlib	libstdc++.so.6	0x1
DT_NEEDED	sharedlib	libm.so.6	0x1
DT_NEEDED	sharedlib	libgcc_s.so.1	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_INIT	value	0x402658	0xc
DT_FINI	value	0x431ed8	0xd
DT_GNU_HASH	value	0x400240	0x6ffffef5
DT_STRTAB	value	0x401038	0x5
DT_SYMTAB	value	0x4002a0	0x6
DT_STRSZ	bytes	1963	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x63e500	0x3
DT_PLTRELSZ	bytes	3144	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x401a10	0x17
DT_RELA	value	0x401998	0x7
DT_RELASZ	bytes	120	0x8
DT_RELAENT	bytes	24	0x9
DT_VERNEED	value	0x401908	0x6ffffffe
DT_VERNEEDNUM	value	4	0x6fffffff
DT_VERSYM	value	0x4017e4	0x6ffffff0
DT_NULL	value	0x0	0x0

Symbols

Name	Version Info Name	Version Info File Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_Jv_RegisterClasses			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_Unwind_Resume	GCC_3.0	libgcc_s.so.1	.dynsym	0x0	260	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZN9__gnu_cxx18__exchange_and_addEPVii	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	7	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNKSs7compareEPKc	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	116	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs12_M_leak_hardEv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	52	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs4_Rep10_M_destroyERKSaIcE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	5	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs4_Rep20_S_empty_rep_storageE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x63eb00	32	OBJECT	<unknown>	DEFAULT	25
_ZNSs6appendEPKcm	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	266	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs6appendERKSs	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	170	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs6assignEPKcm	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	218	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs6assignERKSs	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	219	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs6resizeEmc	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	82	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs7reserveEm	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	170	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSs9_M_mutateEmmm	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	437	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSsC1EPKcRKSaIcE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	90	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSsC1EPKcmRKSaIcE	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	35	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSsC1ERKSs	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	120	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSsD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt8ios_base4InitC1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	1942	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZNSt8ios_base4InitD1Ev	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	124	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZSt17__throw_bad_allocv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	50	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZSt18_Rb_tree_decrementPSt18_Rb_tree_node_base	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	81	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZSt18_Rb_tree_incrementPSt18_Rb_tree_node_base	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	81	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZSt20__throw_length_errorPKc	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	223	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZSt28_Rb_tree_rebalance_for_erasePSt18_Rb_tree_node_baseRS_	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	834	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZSt29_Rb_tree_insert_and_rebalancebPSt18_Rb_tree_node_baseS0_RS_	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	347	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_EPKS3_RKS6_			.dynsym	0x42aa20	192	FUNC	<unknown>	DEFAULT	12
_ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_ERKS6_S8_			.dynsym	0x430b30	133	FUNC	<unknown>	DEFAULT	12
_ZTVN10__cxxabiv117__class_type_infoE	CXXABI_1.3	libstdc++.so.6	.dynsym	0x63ea40	88	OBJECT	<unknown>	DEFAULT	25
_ZTVN10__cxxabiv121__vmi_class_type_infoE	CXXABI_1.3	libstdc++.so.6	.dynsym	0x63eaa0	88	OBJECT	<unknown>	DEFAULT	25
_ZdaPv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	5	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZdlPv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	18	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_Znam	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	33	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_Znwm	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	147	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__assert_fail	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	289	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__bss_start			.dynsym	0x63ea24	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__cxa_atexit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	94	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__cxa_begin_catch	CXXABI_1.3	libstdc++.so.6	.dynsym	0x0	128	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__cxa_end_catch	CXXABI_1.3	libstdc++.so.6	.dynsym	0x0	125	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__cxa_rethrow	CXXABI_1.3	libstdc++.so.6	.dynsym	0x0	74	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__errno_location	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	17	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__gmon_start__			.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__gxx_personality_v0	CXXABI_1.3	libstdc++.so.6	.dynsym	0x402d80	1182	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__libc_start_main	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	421	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__lxstat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	75	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__strtol_internal	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	16	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__xstat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	75	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_edata			.dynsym	0x63ea24	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end			.dynsym	0x63ee70	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_fini			.dynsym	0x431ed8	0	FUNC	<unknown>	DEFAULT	13
_init			.dynsym	0x402658	0	FUNC	<unknown>	DEFAULT	10
abort	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	721	FUNC	<unknown>	DEFAULT	SHN_UNDEF
access	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
close	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	108	FUNC	<unknown>	DEFAULT	SHN_UNDEF
closedir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	42	FUNC	<unknown>	DEFAULT	SHN_UNDEF
connect	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	128	FUNC	<unknown>	DEFAULT	SHN_UNDEF
daemon	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	321	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dup2	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
execv	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	15	FUNC	<unknown>	DEFAULT	SHN_UNDEF
exit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	241	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	518	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fcntl	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	194	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fflush	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	254	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgetc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	240	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgets	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	410	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fopen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	10	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fork	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	5	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	144	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fputs	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	314	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fread	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	326	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fseek	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	238	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fseeko64	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	238	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ftell	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	315	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ftello64	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	315	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fwrite	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	355	FUNC	<unknown>	DEFAULT	SHN_UNDEF
geteuid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	8	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gethostbyname	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	425	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	51	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gettimeofday	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	46	FUNC	<unknown>	DEFAULT	SHN_UNDEF
inet_addr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	357	FUNC	<unknown>	DEFAULT	SHN_UNDEF
inet_ntoa	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	135	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ioctl	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
isspace	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	67	FUNC	<unknown>	DEFAULT	SHN_UNDEF
kill	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
localtime_r	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	13	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	1125	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memmove	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	372	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	2843	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mkdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mktime	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	32	FUNC	<unknown>	DEFAULT	SHN_UNDEF
open	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	128	FUNC	<unknown>	DEFAULT	SHN_UNDEF
opendir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	152	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	5	FUNC	<unknown>	DEFAULT	SHN_UNDEF
perror	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	341	FUNC	<unknown>	DEFAULT	SHN_UNDEF
popen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	155	FUNC	<unknown>	DEFAULT	SHN_UNDEF
printf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	162	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_cancel	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	156	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_create	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	2881	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_detach	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	82	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_join	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	352	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_destroy	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	29	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_init	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	396	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_lock	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	1509	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pthread_mutex_unlock	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	10	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rand	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	14	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	128	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	192	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readlink	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	212	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recvfrom	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	161	FUNC	<unknown>	DEFAULT	SHN_UNDEF
remove	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	52	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rename	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
select	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	151	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	212	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sendto	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	161	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	40	FUNC	<unknown>	DEFAULT	SHN_UNDEF
shutdown	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigaddset	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigemptyset	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	49	FUNC	<unknown>	DEFAULT	SHN_UNDEF
signal	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	212	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigprocmask	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	48	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sleep	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	441	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socket	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	37	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socketpair	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	40	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	144	FUNC	<unknown>	DEFAULT	SHN_UNDEF
srand	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	108	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sscanf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	144	FUNC	<unknown>	DEFAULT	SHN_UNDEF
stdout	GLIBC_2.2.5	libc.so.6	.dynsym	0x63eb20	8	OBJECT	<unknown>	DEFAULT	25
strchr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	418	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	33	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	220	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strlen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	233	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strncasecmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	75	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strncmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	179	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strncpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	166	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strrchr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	61	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strstr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	299	FUNC	<unknown>	DEFAULT	SHN_UNDEF
system	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	5	FUNC	<unknown>	DEFAULT	SHN_UNDEF
time	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	18	FUNC	<unknown>	DEFAULT	SHN_UNDEF
usleep	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	57	FUNC	<unknown>	DEFAULT	SHN_UNDEF
vasprintf	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	405	FUNC	<unknown>	DEFAULT	SHN_UNDEF
waitpid	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	173	FUNC	<unknown>	DEFAULT	SHN_UNDEF
write	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	128	FUNC	<unknown>	DEFAULT	SHN_UNDEF

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/10/24-11:16:51.500898	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	41687	443	192.168.2.126	91.195.240.94
04/10/24-11:17:22.705256	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	45210	443	192.168.2.126	91.195.240.94
04/10/24-11:15:49.341725	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	45342	443	192.168.2.126	91.195.240.94
04/10/24-11:17:22.705256	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	45210	443	192.168.2.126	91.195.240.94
04/10/24-11:17:53.785050	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	38251	443	192.168.2.126	91.195.240.94
04/10/24-11:15:18.245782	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	38278	443	192.168.2.126	91.195.240.94
04/10/24-11:14:27.079270	UDP	2051867	ET TROJAN Dinodas RAT CnC Domain in DNS Lookup (update .centos-yum .com)	43079	53	192.168.2.126	1.1.1.1
04/10/24-11:14:27.079270	UDP	2051846	ET TROJAN DNS Query to Earth Krahang APT Domain (update .centos-yum .com)	43079	53	192.168.2.126	1.1.1.1
04/10/24-11:15:49.341725	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	45342	443	192.168.2.126	91.195.240.94
04/10/24-11:15:18.245782	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	38278	443	192.168.2.126	91.195.240.94
04/10/24-11:14:47.166945	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	55268	443	192.168.2.126	91.195.240.94
04/10/24-11:16:20.415578	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	50490	443	192.168.2.126	91.195.240.94
04/10/24-11:18:25.105451	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	34962	443	192.168.2.126	91.195.240.94
04/10/24-11:17:53.785050	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	38251	443	192.168.2.126	91.195.240.94
04/10/24-11:14:27.079270	UDP	2051837	ET TROJAN DinodasRAT Related CnC Domain in DNS Lookup (update .centos-yum .com)	43079	53	192.168.2.126	1.1.1.1
04/10/24-11:14:47.166945	UDP	2051839	ET TROJAN Suspected DinodasRAT Related Activity (UDP)	55268	443	192.168.2.126	91.195.240.94
04/10/24-11:18:25.105451	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	34962	443	192.168.2.126	91.195.240.94
04/10/24-11:16:20.415578	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	50490	443	192.168.2.126	91.195.240.94
04/10/24-11:16:51.500898	UDP	2051868	ET TROJAN Linux/Dinodas RAT CnC Checkin - UDP	41687	443	192.168.2.126	91.195.240.94

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 10, 2024 11:14:27.079269886 CEST	43079	53	192.168.2.126	1.1.1.1
Apr 10, 2024 11:14:27.120377064 CEST	53	43079	1.1.1.1	192.168.2.126
Apr 10, 2024 11:14:27.121093988 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:29.120635033 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:31.122613907 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:33.129244089 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:35.130264997 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:37.130201101 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:39.141129971 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:41.153228045 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:43.153254986 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:45.165270090 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:47.166944981 CEST	55268	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:14:58.185230017 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:00.197268009 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:02.201262951 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:04.202398062 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:06.206721067 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:08.221261024 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:10.218815088 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:12.227344036 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:14.232481003 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:16.232530117 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:18.245781898 CEST	38278	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:29.283850908 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:31.284523964 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:33.299632072 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:35.312860012 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:37.313183069 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:39.320440054 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:41.333156109 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:43.333252907 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:45.333291054 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:47.341924906 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:15:49.341725111 CEST	45342	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:00.376656055 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:02.379231930 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:04.385230064 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:06.381423950 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:08.382404089 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:10.382457018 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:12.384330034 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:14.392476082 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:16.395550966 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:18.400507927 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:20.415577888 CEST	50490	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:31.446983099 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:33.460840940 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:35.469252110 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:37.468544006 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:39.469147921 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:41.482006073 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:43.481857061 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:45.488805056 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:47.497409105 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:49.496872902 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:16:51.500897884 CEST	41687	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:02.643419027 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:04.645252943 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:06.645814896 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:08.652321100 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:10.653053999 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:12.668294907 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:14.683808088 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:16.683470011 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:18.685420036 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:20.701240063 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:22.705255985 CEST	45210	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:33.724031925 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:35.736510038 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:37.737886906 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:39.753242970 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:41.753247976 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:43.753793001 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:45.765911102 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:47.771455050 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:49.771600008 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:51.778343916 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:17:53.785049915 CEST	38251	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:05.045011044 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:07.066580057 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:09.081686974 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:11.082798004 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:13.091403961 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:15.092485905 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:17.094456911 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:19.095089912 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:21.096115112 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:23.098575115 CEST	34962	443	192.168.2.126	91.195.240.94
Apr 10, 2024 11:18:25.105451107 CEST	34962	443	192.168.2.126	91.195.240.94

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 10, 2024 11:14:27.079269886 CEST	192.168.2.126	1.1.1.1	0x1174	Standard query (0)	update.centos-yum.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 10, 2024 11:14:27.120377064 CEST	1.1.1.1	192.168.2.126	0x1174	No error (0)	update.centos-yum.com		91.195.240.94	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: ijxeqyXNc4 PID: 5431, Parent PID: 5377

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	/tmp/ijxeqyXNc4
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5432, Parent PID: 5431

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5433, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5433, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "cat /proc/version"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5434, Parent PID: 5433

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: cat PID: 5434, Parent PID: 5433

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/usr/bin/cat
Arguments:	cat /proc/version
File size:	35288 bytes
MD5 hash:	bad083817ee6cf28643668a67fce3f4e

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5435, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5435, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "cat /etc/lsb-release"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5436, Parent PID: 5435

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: cat PID: 5436, Parent PID: 5435

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/usr/bin/cat
Arguments:	cat /etc/lsb-release
File size:	35288 bytes
MD5 hash:	bad083817ee6cf28643668a67fce3f4e

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5437, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5437, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5438, Parent PID: 5437

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: ln PID: 5438, Parent PID: 5437

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/usr/bin/ln
Arguments:	ln -s /lib/systemd/system/rc.local.service /etc/systemd/system/
File size:	59912 bytes
MD5 hash:	85642a6e6b43fa5b4177f69df37f3ba3

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5439, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5439, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "chmod 777 /etc/rc.local"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5440, Parent PID: 5439

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: chmod PID: 5440, Parent PID: 5439

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/usr/bin/chmod
Arguments:	chmod 777 /etc/rc.local
File size:	55816 bytes
MD5 hash:	a3c9079943bd39eee11caecec425e36e

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5441, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5441, Parent PID: 5432

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "/tmp/ijxeqyXNc4 d 5432"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5442, Parent PID: 5441

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5442, Parent PID: 5441

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	/tmp/ijxeqyXNc4 d 5432
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5443, Parent PID: 5442

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5443, Parent PID: 5442

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c ifconfig
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5444, Parent PID: 5443

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: ifconfig PID: 5444, Parent PID: 5443

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/usr/sbin/ifconfig
Arguments:	ifconfig
File size:	79024 bytes
MD5 hash:	53aa4bb01899b4d5020230af1a3d5e8b

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5445, Parent PID: 5442

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5445, Parent PID: 5442

General

Start time (UTC):	09:14:25
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c dmidecode
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5446, Parent PID: 5445

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: dmidecode PID: 5446, Parent PID: 5445

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode
File size:	121840 bytes
MD5 hash:	f030dde9ad21d7fa298fae2a2286a1c7

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5447, Parent PID: 5442

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5447, Parent PID: 5442

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "cat /etc/issue"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5448, Parent PID: 5447

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: cat PID: 5448, Parent PID: 5447

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/usr/bin/cat
Arguments:	cat /etc/issue
File size:	35288 bytes
MD5 hash:	bad083817ee6cf28643668a67fce3f4e

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5449, Parent PID: 5442

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/tmp/ijxeqyXNc4
Arguments:	-
File size:	261344 bytes
MD5 hash:	8138f1af1dc51cde924aa2360f12d650

Chronological Activities

Analysis Process: sh PID: 5449, Parent PID: 5442

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	sh -c "getconf LONG_BIT"
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: sh PID: 5450, Parent PID: 5449

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/bin/sh
Arguments:	-
File size:	125688 bytes
MD5 hash:	7409ae3f7b10e059ee70d9079c94b097

Chronological Activities

Analysis Process: getconf PID: 5450, Parent PID: 5449

General

Start time (UTC):	09:14:26
Start date (UTC):	10/04/2024
Path:	/usr/bin/getconf
Arguments:	getconf LONG_BIT
File size:	35112 bytes
MD5 hash:	419753c9d341f1e7aa8451dea9441fd9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, File: File Modification, Firmware: Firmware Modification, Process: OS API Execution, Process: Process Creation, Script: Script Execution, Service: Service Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ijxeqyXNc4

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Created / dropped Files

/etc/rc.local

/tmp/.netc.ini

/usr/lib/systemd/system/rc.local.service

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: ijxeqyXNc4 PID: 5431, Parent PID: 5377

General

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5432, Parent PID: 5431

General

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5433, Parent PID: 5432

General

Chronological Activities

Analysis Process: sh PID: 5433, Parent PID: 5432

General

Chronological Activities

Analysis Process: sh PID: 5434, Parent PID: 5433

General

Chronological Activities

Analysis Process: cat PID: 5434, Parent PID: 5433

General

Chronological Activities

Analysis Process: ijxeqyXNc4 PID: 5435, Parent PID: 5432

Linux Analysis Report
ijxeqyXNc4