Edit tour

Linux Analysis Report
x7Z7EQGweF.elf

Overview

General Information

Sample name:x7Z7EQGweF.elf
renamed because original name is a hash value
Original sample name:46940c9c72722a7bbad577ebd4712827.elf
Analysis ID:1441158
MD5:46940c9c72722a7bbad577ebd4712827
SHA1:45f9cfdf48c82e5696cf3cdfb4dda2ed33299363
SHA256:49842e3c19773bccc345dc7bef4cd88a0b5d535de8d1a0fa06922c3fdf92ce4a
Tags:32armelfmirai
Infos:

Detection

Mirai
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1441158
Start date and time:2024-05-14 10:59:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 10m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:x7Z7EQGweF.elf
renamed because original name is a hash value
Original Sample Name:46940c9c72722a7bbad577ebd4712827.elf
Detection:MAL
Classification:mal64.troj.linELF@0/0@2/0
Cookbook Comments:
  • Analysis time extended to 480s due to sleep detection in submitted sample
Command:/tmp/x7Z7EQGweF.elf
PID:5515
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/lib/ld-uClibc.so.0: No such file or directory
  • system is lnxubuntu20
  • x7Z7EQGweF.elf (PID: 5515, Parent: 5441, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/x7Z7EQGweF.elf
  • dash New Fork (PID: 5528, Parent: 3670)
  • rm (PID: 5528, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.NoyrEueXOg /tmp/tmp.NrssunpPbr /tmp/tmp.4SPJJBn3Ay
  • dash New Fork (PID: 5529, Parent: 3670)
  • cat (PID: 5529, Parent: 3670, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.NoyrEueXOg
  • dash New Fork (PID: 5530, Parent: 3670)
  • head (PID: 5530, Parent: 3670, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5531, Parent: 3670)
  • tr (PID: 5531, Parent: 3670, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5532, Parent: 3670)
  • cut (PID: 5532, Parent: 3670, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5533, Parent: 3670)
  • cat (PID: 5533, Parent: 3670, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.NoyrEueXOg
  • dash New Fork (PID: 5534, Parent: 3670)
  • head (PID: 5534, Parent: 3670, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5535, Parent: 3670)
  • tr (PID: 5535, Parent: 3670, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5536, Parent: 3670)
  • cut (PID: 5536, Parent: 3670, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5537, Parent: 3670)
  • rm (PID: 5537, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.NoyrEueXOg /tmp/tmp.NrssunpPbr /tmp/tmp.4SPJJBn3Ay
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
x7Z7EQGweF.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    x7Z7EQGweF.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x95e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x95f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x960c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9648:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x965c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9670:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9684:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9698:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x96ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x96c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x96d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x96e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x96fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x974c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    SourceRuleDescriptionAuthorStrings
    5515.1.00007f6ffc017000.00007f6ffc022000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5515.1.00007f6ffc017000.00007f6ffc022000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x95e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x95f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x960c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9620:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9634:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9648:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x965c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9670:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9684:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9698:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x96ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x96c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x96d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x96e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x96fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9710:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9724:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9738:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x974c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9760:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x9774:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      Process Memory Space: x7Z7EQGweF.elf PID: 5515Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x13ed4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13ee8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13efc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13f9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13fb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13fc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13fd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x13fec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x14000:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x14014:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x14028:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1403c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x14050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x14064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: x7Z7EQGweF.elfReversingLabs: Detection: 63%
      Source: x7Z7EQGweF.elfVirustotal: Detection: 59%Perma Link
      Source: unknownHTTPS traffic detected: 34.243.160.129:443 -> 192.168.2.15:36182 version: TLS 1.2
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
      Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 36182
      Source: unknownNetwork traffic detected: HTTP traffic on port 36182 -> 443
      Source: unknownHTTPS traffic detected: 34.243.160.129:443 -> 192.168.2.15:36182 version: TLS 1.2

      System Summary

      barindex
      Source: x7Z7EQGweF.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: 5515.1.00007f6ffc017000.00007f6ffc022000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: Process Memory Space: x7Z7EQGweF.elf PID: 5515, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: x7Z7EQGweF.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: 5515.1.00007f6ffc017000.00007f6ffc022000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: Process Memory Space: x7Z7EQGweF.elf PID: 5515, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: classification engineClassification label: mal64.troj.linELF@0/0@2/0
      Source: /usr/bin/dash (PID: 5528)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NoyrEueXOg /tmp/tmp.NrssunpPbr /tmp/tmp.4SPJJBn3AyJump to behavior
      Source: /usr/bin/dash (PID: 5537)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.NoyrEueXOg /tmp/tmp.NrssunpPbr /tmp/tmp.4SPJJBn3AyJump to behavior
      Source: /tmp/x7Z7EQGweF.elf (PID: 5515)Queries kernel information via 'uname': Jump to behavior
      Source: x7Z7EQGweF.elf, 5515.1.0000559b354a7000.0000559b355d5000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
      Source: x7Z7EQGweF.elf, 5515.1.00007ffc07f0a000.00007ffc07f2b000.rw-.sdmpBinary or memory string: qemu: %s: %s
      Source: x7Z7EQGweF.elf, 5515.1.00007ffc07f0a000.00007ffc07f2b000.rw-.sdmpBinary or memory string: leqemu: %s: %s
      Source: x7Z7EQGweF.elf, 5515.1.0000559b354a7000.0000559b355d5000.rw-.sdmpBinary or memory string: Urg.qemu.gdb.arm.sys.regs">
      Source: x7Z7EQGweF.elf, 5515.1.0000559b354a7000.0000559b355d5000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
      Source: x7Z7EQGweF.elf, 5515.1.00007ffc07f0a000.00007ffc07f2b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
      Source: x7Z7EQGweF.elf, 5515.1.0000559b354a7000.0000559b355d5000.rw-.sdmpBinary or memory string: rg.qemu.gdb.arm.sys.regs">
      Source: x7Z7EQGweF.elf, 5515.1.00007ffc07f0a000.00007ffc07f2b000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/x7Z7EQGweF.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/x7Z7EQGweF.elf

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: x7Z7EQGweF.elf, type: SAMPLE
      Source: Yara matchFile source: 5515.1.00007f6ffc017000.00007f6ffc022000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: x7Z7EQGweF.elf, type: SAMPLE
      Source: Yara matchFile source: 5515.1.00007f6ffc017000.00007f6ffc022000.r-x.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
      File Deletion
      OS Credential Dumping11
      Security Software Discovery
      Remote ServicesData from Local System1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1441158 Sample: x7Z7EQGweF.elf Startdate: 14/05/2024 Architecture: LINUX Score: 64 14 34.243.160.129, 36182, 443 AMAZON-02US United States 2->14 16 daisy.ubuntu.com 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected Mirai 2->22 6 dash rm 2->6         started        8 dash head 2->8         started        10 dash tr 2->10         started        12 8 other processes 2->12 signatures3 process4

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      x7Z7EQGweF.elf63%ReversingLabsLinux.Trojan.Mirai
      x7Z7EQGweF.elf59%VirustotalBrowse
      No Antivirus matches
      SourceDetectionScannerLabelLink
      daisy.ubuntu.com0%VirustotalBrowse
      No Antivirus matches

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      daisy.ubuntu.com
      162.213.35.24
      truefalseunknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      34.243.160.129
      unknownUnited States
      16509AMAZON-02USfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      34.243.160.129By6egQ1Y7o.elfGet hashmaliciousMiraiBrowse
        ZIWzknTM3o.elfGet hashmaliciousMiraiBrowse
          1XxZTVeKf6.elfGet hashmaliciousUnknownBrowse
            f4twIqJjVs.elfGet hashmaliciousMiraiBrowse
              a-r.m-4.ISIS.elfGet hashmaliciousGafgytBrowse
                a-r.m-5.ISIS.elfGet hashmaliciousGafgytBrowse
                  Aqua.x86-20240509-2041.elfGet hashmaliciousMiraiBrowse
                    fuckjewishpeople.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                      Aqua.x86-20240508-2208.elfGet hashmaliciousMiraiBrowse
                        0bB3bZhaGj.elfGet hashmaliciousUnknownBrowse
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          daisy.ubuntu.com34qYisu1zX.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.25
                          MzIP71OrfX.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          g058ub3UiN.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          SecuriteInfo.com.Linux.Siggen.9999.13162.26731.elfGet hashmaliciousUnknownBrowse
                          • 162.213.35.25
                          Qc2LYywLSU.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          jd8fmuz66T.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.25
                          yR5kMJRT0m.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          ZOLHuIF3KI.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          3ZpiV0RZOs.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          nLCP3IcKZ7.elfGet hashmaliciousMiraiBrowse
                          • 162.213.35.24
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          AMAZON-02US7ddC4vZvSX.elfGet hashmaliciousMiraiBrowse
                          • 54.168.12.167
                          n6UMcur8v3.elfGet hashmaliciousMiraiBrowse
                          • 18.178.67.7
                          bqHlnibJh9.elfGet hashmaliciousMiraiBrowse
                          • 54.169.74.200
                          https://www.gelink.nu/hulsbeek/test.htmlGet hashmaliciousUnknownBrowse
                          • 18.155.192.123
                          https://flow.page/cbullsdocsGet hashmaliciousUnknownBrowse
                          • 18.154.144.57
                          https://147.45.47.87Get hashmaliciousUnknownBrowse
                          • 35.161.72.113
                          P240842_P240843.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 3.64.163.50
                          RBCCojYZjb.exeGet hashmaliciousMetasploitBrowse
                          • 13.53.131.190
                          https://skierife.com/capcha/public/?id=google.auth.Adfjguirojs==Jh7dbwJ12io3d4dotYWNoYXRzQGNoZW0ubHU=Get hashmaliciousHTMLPhisherBrowse
                          • 13.226.210.108
                          4333.exeGet hashmaliciousDBatLoader, FormBookBrowse
                          • 76.223.67.189
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          fb4726d465c5f28b84cd6d14cedd13a7g058ub3UiN.elfGet hashmaliciousMiraiBrowse
                          • 34.243.160.129
                          SecuriteInfo.com.Linux.Siggen.9999.20934.12421.elfGet hashmaliciousUnknownBrowse
                          • 34.243.160.129
                          Aqua.x86.elfGet hashmaliciousMiraiBrowse
                          • 34.243.160.129
                          bot.mips.elfGet hashmaliciousMirai, OkiruBrowse
                          • 34.243.160.129
                          2oxo8KJQv0.elfGet hashmaliciousMiraiBrowse
                          • 34.243.160.129
                          f4twIqJjVs.elfGet hashmaliciousMiraiBrowse
                          • 34.243.160.129
                          ZaakFRkzk0.elfGet hashmaliciousMiraiBrowse
                          • 34.243.160.129
                          0bB3bZhaGj.elfGet hashmaliciousUnknownBrowse
                          • 34.243.160.129
                          systemd-resolvedGet hashmaliciousUnknownBrowse
                          • 34.243.160.129
                          3omgEnWD0H.elfGet hashmaliciousMiraiBrowse
                          • 34.243.160.129
                          No context
                          No created / dropped files found
                          File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
                          Entropy (8bit):6.128095560617652
                          TrID:
                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                          File name:x7Z7EQGweF.elf
                          File size:47'728 bytes
                          MD5:46940c9c72722a7bbad577ebd4712827
                          SHA1:45f9cfdf48c82e5696cf3cdfb4dda2ed33299363
                          SHA256:49842e3c19773bccc345dc7bef4cd88a0b5d535de8d1a0fa06922c3fdf92ce4a
                          SHA512:b87f78cfbee68e0aacab62cfca52a49f61f38e6114ddccb5f379bbf4262045540fae787b2b25d89e6eb079733029517650ecd36875cde926d25aa8dd80e54e12
                          SSDEEP:768:FiM7wTpcv2eaWDzbJ+Qxk2ilyrVO8/7MWfq4apYPC64+aBk2f/7LJiiTa77AjZYn:ea2azb0QxkiH/7vfrapwW1Fm7kja10U/
                          TLSH:89231996B8829B2AC1D022BAF57E995C3764A7E5D3DF3217CC601B207AC610F1E63F45
                          File Content Preview:.ELF...a..........(.....|...4...........4. ...(.........4...4...4...................................................................................................,...|...........................................Q.td............................/lib/ld-uCl

                          ELF header

                          Class:ELF32
                          Data:2's complement, little endian
                          Version:1 (current)
                          Machine:ARM
                          Version Number:0x1
                          Type:EXEC (Executable file)
                          OS/ABI:ARM - ABI
                          ABI Version:0
                          Entry Point Address:0x8f7c
                          Flags:0x2
                          ELF Header Size:52
                          Program Header Offset:52
                          Program Header Size:32
                          Number of Program Headers:6
                          Section Header Offset:47008
                          Section Header Size:40
                          Number of Section Headers:18
                          Header String Table Index:17
                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                          NULL0x00x00x00x00x0000
                          .interpPROGBITS0x80f40xf40x140x00x2A001
                          .hashHASH0x81080x1080x23c0x40x2A304
                          .dynsymDYNSYM0x83440x3440x4a00x100x2A414
                          .dynstrSTRTAB0x87e40x7e40x2540x00x2A001
                          .rel.pltREL0x8a380xa380x1b00x80x2A374
                          .initPROGBITS0x8be80xbe80x180x00x6AX004
                          .pltPROGBITS0x8c000xc000x29c0x40x6AX004
                          .textPROGBITS0x8e9c0xe9c0x87340x00x6AX004
                          .finiPROGBITS0x115d00x95d00x140x00x6AX004
                          .rodataPROGBITS0x115e40x95e40x16380x00x2A004
                          .ctorsPROGBITS0x1b0000xb0000x80x00x3WA004
                          .dtorsPROGBITS0x1b0080xb0080x80x00x3WA004
                          .dynamicDYNAMIC0x1b0140xb0140x980x80x3WA404
                          .gotPROGBITS0x1b0ac0xb0ac0xe40x40x3WA004
                          .dataPROGBITS0x1b1900xb1900x59c0x00x3WA004
                          .bssNOBITS0x1b72c0xb72c0xe500x00x3WA004
                          .shstrtabSTRTAB0x00xb72c0x730x00x0001
                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                          PHDR0x340x80340x80340xc00xc02.19490x5R E0x4
                          INTERP0xf40x80f40x80f40x140x143.68420x4R 0x1/lib/ld-uClibc.so.0.interp
                          LOAD0x00x80000x80000xac1c0xac1c6.25260x5R E0x8000.interp .hash .dynsym .dynstr .rel.plt .init .plt .text .fini .rodata
                          LOAD0xb0000x1b0000x1b0000x72c0x157c4.21830x6RW 0x8000.ctors .dtors .dynamic .got .data .bss
                          DYNAMIC0xb0140x1b0140x1b0140x980x981.89840x6RW 0x4.dynamic
                          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                          TypeMetaValueTag
                          DT_NEEDEDsharedliblibc.so.00x1
                          DT_INITvalue0x8be80xc
                          DT_FINIvalue0x115d00xd
                          DT_HASHvalue0x81080x4
                          DT_STRTABvalue0x87e40x5
                          DT_SYMTABvalue0x83440x6
                          DT_STRSZbytes5960xa
                          DT_SYMENTbytes160xb
                          DT_DEBUGvalue0x00x15
                          DT_PLTGOTvalue0x1b0ac0x3
                          DT_PLTRELSZbytes4320x2
                          DT_PLTRELpltrelDT_REL0x14
                          DT_JMPRELvalue0x8a380x17
                          DT_NULLvalue0x00x0
                          NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
                          .dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                          __aeabi_idiv0.dynsym0x115904FUNC<unknown>DEFAULT8
                          __aeabi_ldiv0.dynsym0x115904FUNC<unknown>DEFAULT8
                          __aeabi_uidiv.dynsym0x112d00FUNC<unknown>DEFAULT8
                          __aeabi_uidivmod.dynsym0x113c824FUNC<unknown>DEFAULT8
                          __bss_end__.dynsym0x1c57c0NOTYPE<unknown>DEFAULTSHN_ABS
                          __bss_start.dynsym0x1b72c0NOTYPE<unknown>DEFAULTSHN_ABS
                          __bss_start__.dynsym0x1b72c0NOTYPE<unknown>DEFAULTSHN_ABS
                          __data_start.dynsym0x1b1900NOTYPE<unknown>DEFAULT17
                          __div0.dynsym0x115904FUNC<unknown>DEFAULT8
                          __end__.dynsym0x1c57c0NOTYPE<unknown>DEFAULTSHN_ABS
                          __errno_location.dynsym0x8e0032FUNC<unknown>DEFAULTSHN_UNDEF
                          __modsi3.dynsym0x114ac228FUNC<unknown>DEFAULT8
                          __uClibc_main.dynsym0x8dac488FUNC<unknown>DEFAULTSHN_UNDEF
                          __udivsi3.dynsym0x112d0248FUNC<unknown>DEFAULT8
                          __umodsi3.dynsym0x113e0204FUNC<unknown>DEFAULT8
                          _bss_end__.dynsym0x1c57c0NOTYPE<unknown>DEFAULTSHN_ABS
                          _edata.dynsym0x1b72c0NOTYPE<unknown>DEFAULTSHN_ABS
                          _end.dynsym0x1c57c0NOTYPE<unknown>DEFAULTSHN_ABS
                          _start.dynsym0x8f7c80FUNC<unknown>DEFAULT8
                          abort.dynsym0x8cec352FUNC<unknown>DEFAULTSHN_UNDEF
                          atoi.dynsym0x8e1812FUNC<unknown>DEFAULTSHN_UNDEF
                          bind.dynsym0x8d2844FUNC<unknown>DEFAULTSHN_UNDEF
                          calloc.dynsym0x8cf888FUNC<unknown>DEFAULTSHN_UNDEF
                          clock.dynsym0x8e3c52FUNC<unknown>DEFAULTSHN_UNDEF
                          close.dynsym0x8e6c44FUNC<unknown>DEFAULTSHN_UNDEF
                          closedir.dynsym0x8e54196FUNC<unknown>DEFAULTSHN_UNDEF
                          connect.dynsym0x8c3844FUNC<unknown>DEFAULTSHN_UNDEF
                          exit.dynsym0x8e0c172FUNC<unknown>DEFAULTSHN_UNDEF
                          fcntl.dynsym0x8e60116FUNC<unknown>DEFAULTSHN_UNDEF
                          fork.dynsym0x8da044FUNC<unknown>DEFAULTSHN_UNDEF
                          free.dynsym0x8e78288FUNC<unknown>DEFAULTSHN_UNDEF
                          getpid.dynsym0x8c6844FUNC<unknown>DEFAULTSHN_UNDEF
                          getppid.dynsym0x8dd044FUNC<unknown>DEFAULTSHN_UNDEF
                          getsockname.dynsym0x8e9044FUNC<unknown>DEFAULTSHN_UNDEF
                          getsockopt.dynsym0x8df448FUNC<unknown>DEFAULTSHN_UNDEF
                          inet_addr.dynsym0x8d3436FUNC<unknown>DEFAULTSHN_UNDEF
                          inet_ntoa.dynsym0x8dc436FUNC<unknown>DEFAULTSHN_UNDEF
                          ioctl.dynsym0x8c2080FUNC<unknown>DEFAULTSHN_UNDEF
                          kill.dynsym0x8d1044FUNC<unknown>DEFAULTSHN_UNDEF
                          listen.dynsym0x8d9444FUNC<unknown>DEFAULTSHN_UNDEF
                          malloc.dynsym0x8c8c400FUNC<unknown>DEFAULTSHN_UNDEF
                          memcpy.dynsym0x8c804FUNC<unknown>DEFAULTSHN_UNDEF
                          memmove.dynsym0x8c504FUNC<unknown>DEFAULTSHN_UNDEF
                          memset.dynsym0x8db8156FUNC<unknown>DEFAULTSHN_UNDEF
                          open.dynsym0x8e3092FUNC<unknown>DEFAULTSHN_UNDEF
                          opendir.dynsym0x8de8264FUNC<unknown>DEFAULTSHN_UNDEF
                          prctl.dynsym0x8c7448FUNC<unknown>DEFAULTSHN_UNDEF
                          puts.dynsym0x0200FUNC<unknown>DEFAULTSHN_UNDEF
                          read.dynsym0x8d7044FUNC<unknown>DEFAULTSHN_UNDEF
                          readdir.dynsym0x8cc8224FUNC<unknown>DEFAULTSHN_UNDEF
                          readlink.dynsym0x044FUNC<unknown>DEFAULTSHN_UNDEF
                          realloc.dynsym0x8d88312FUNC<unknown>DEFAULTSHN_UNDEF
                          recv.dynsym0x8c2c44FUNC<unknown>DEFAULTSHN_UNDEF
                          recvfrom.dynsym0x8ca452FUNC<unknown>DEFAULTSHN_UNDEF
                          select.dynsym0x8cbc48FUNC<unknown>DEFAULTSHN_UNDEF
                          send.dynsym0x8ce044FUNC<unknown>DEFAULTSHN_UNDEF
                          sendto.dynsym0x8d7c52FUNC<unknown>DEFAULTSHN_UNDEF
                          setsid.dynsym0x8e4844FUNC<unknown>DEFAULTSHN_UNDEF
                          setsockopt.dynsym0x8d4048FUNC<unknown>DEFAULTSHN_UNDEF
                          sigaddset.dynsym0x8cd448FUNC<unknown>DEFAULTSHN_UNDEF
                          sigemptyset.dynsym0x8c4424FUNC<unknown>DEFAULTSHN_UNDEF
                          signal.dynsym0x8d64200FUNC<unknown>DEFAULTSHN_UNDEF
                          sigprocmask.dynsym0x8e8484FUNC<unknown>DEFAULTSHN_UNDEF
                          sleep.dynsym0x8c98420FUNC<unknown>DEFAULTSHN_UNDEF
                          socket.dynsym0x8cb044FUNC<unknown>DEFAULTSHN_UNDEF
                          strcasestr.dynsym0x8d4c168FUNC<unknown>DEFAULTSHN_UNDEF
                          strcat.dynsym0x8d1c40FUNC<unknown>DEFAULTSHN_UNDEF
                          strcpy.dynsym0x8c1428FUNC<unknown>DEFAULTSHN_UNDEF
                          strlen.dynsym0x8e2496FUNC<unknown>DEFAULTSHN_UNDEF
                          strstr.dynsym0x8d58248FUNC<unknown>DEFAULTSHN_UNDEF
                          time.dynsym0x8ddc44FUNC<unknown>DEFAULTSHN_UNDEF
                          usleep.dynsym0x8c5c76FUNC<unknown>DEFAULTSHN_UNDEF
                          write.dynsym0x8d0444FUNC<unknown>DEFAULTSHN_UNDEF

                          Download Network PCAP: filteredfull

                          • Total Packets: 19
                          • 443 (HTTPS)
                          • 53 (DNS)
                          TimestampSource PortDest PortSource IPDest IP
                          May 14, 2024 11:00:09.416610956 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:09.726315975 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:09.726444960 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:09.727457047 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.040967941 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174618959 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174633026 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174643993 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174654007 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174664021 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174675941 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.174756050 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.174756050 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.174782991 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.174782991 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.174782991 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.174782991 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.175518990 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.485081911 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.546586990 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.546750069 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.546775103 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.856415987 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.856534004 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.856547117 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:10.856620073 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.856620073 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:10.857616901 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:11.167325974 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:11.167504072 CEST36182443192.168.2.1534.243.160.129
                          May 14, 2024 11:00:11.170047998 CEST4433618234.243.160.129192.168.2.15
                          May 14, 2024 11:00:11.170088053 CEST36182443192.168.2.1534.243.160.129
                          TimestampSource PortDest PortSource IPDest IP
                          May 14, 2024 11:02:49.324208021 CEST5621453192.168.2.158.8.8.8
                          May 14, 2024 11:02:49.324268103 CEST4419053192.168.2.158.8.8.8
                          May 14, 2024 11:02:49.476613998 CEST53562148.8.8.8192.168.2.15
                          May 14, 2024 11:02:49.476641893 CEST53441908.8.8.8192.168.2.15
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          May 14, 2024 11:02:49.324208021 CEST192.168.2.158.8.8.80xe83dStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                          May 14, 2024 11:02:49.324268103 CEST192.168.2.158.8.8.80xf7feStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          May 14, 2024 11:02:49.476613998 CEST8.8.8.8192.168.2.150xe83dNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                          May 14, 2024 11:02:49.476613998 CEST8.8.8.8192.168.2.150xe83dNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                          May 14, 2024 11:00:10.174675941 CEST34.243.160.129443192.168.2.1536182CN=motd.ubuntu.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USThu Mar 07 10:27:55 CET 2024 Fri Sep 04 02:00:00 CEST 2020Wed Jun 05 11:27:54 CEST 2024 Mon Sep 15 18:00:00 CEST 2025771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-69-68-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2fb4726d465c5f28b84cd6d14cedd13a7
                          CN=R3, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USFri Sep 04 02:00:00 CEST 2020Mon Sep 15 18:00:00 CEST 2025

                          System Behavior

                          Start time (UTC):09:00:01
                          Start date (UTC):14/05/2024
                          Path:/tmp/x7Z7EQGweF.elf
                          Arguments:/tmp/x7Z7EQGweF.elf
                          File size:4956856 bytes
                          MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/rm
                          Arguments:rm -f /tmp/tmp.NoyrEueXOg /tmp/tmp.NrssunpPbr /tmp/tmp.4SPJJBn3Ay
                          File size:72056 bytes
                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/cat
                          Arguments:cat /tmp/tmp.NoyrEueXOg
                          File size:43416 bytes
                          MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/head
                          Arguments:head -n 10
                          File size:47480 bytes
                          MD5 hash:fd96a67145172477dd57131396fc9608

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/tr
                          Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                          File size:51544 bytes
                          MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/cut
                          Arguments:cut -c -80
                          File size:47480 bytes
                          MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/cat
                          Arguments:cat /tmp/tmp.NoyrEueXOg
                          File size:43416 bytes
                          MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/head
                          Arguments:head -n 10
                          File size:47480 bytes
                          MD5 hash:fd96a67145172477dd57131396fc9608

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/tr
                          Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                          File size:51544 bytes
                          MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/cut
                          Arguments:cut -c -80
                          File size:47480 bytes
                          MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Start time (UTC):09:00:10
                          Start date (UTC):14/05/2024
                          Path:/usr/bin/rm
                          Arguments:rm -f /tmp/tmp.NoyrEueXOg /tmp/tmp.NrssunpPbr /tmp/tmp.4SPJJBn3Ay
                          File size:72056 bytes
                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b