Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1536980
MD5:	0238b625efdffe4d312ffc6afd840cf8
SHA1:	d88261c035ba355c7f8267fa3d68a62b3012079f
SHA256:	1f4d4fb0a1ca4abcfcaa37863fa404b78b8eac3e6ed66f6646c94053eb6da894
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Yara detected Mirai

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1536980
Start date and time:	2024-10-18 13:27:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal64.troj.linELF@0/0@0/0

Warnings

VT rate limit hit for: na.elf

Runtime Messages

Command:	/tmp/na.elf
PID:	5519
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

na.elf (PID: 5519, Parent: 5444, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5521, Parent: 5519)

na.elf New Fork (PID: 5523, Parent: 5521)

na.elf New Fork (PID: 5525, Parent: 5521)

na.elf New Fork (PID: 5540, Parent: 5519)

na.elf New Fork (PID: 5541, Parent: 5519)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
na.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5523.1.00007f7750001000.00007f7750019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5523.1.00007f7750001000.00007f7750019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5519.1.00007f7750001000.00007f7750019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5519.1.00007f7750001000.00007f7750019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5521.1.00007f7750001000.00007f7750019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5521.1.00007f7750001000.00007f7750019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5540.1.00007f7750001000.00007f7750019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5540.1.00007f7750001000.00007f7750019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5519	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5519	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x38a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38b9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38cd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38e1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38f5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3909:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x391d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3931:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3945:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3959:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x396d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3981:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3995:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39a9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39bd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39e5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a0d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a21:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a35:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5521	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5521	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x4d94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4da8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4dbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4dd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4de4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4df8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4eac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ec0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ed4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ee8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4efc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4f10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4f24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5523	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5523	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xcf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xd98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xde8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xdfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5540	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: na.elf PID: 5540	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xbdb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbdc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbddc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbdf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbea4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbf08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbf1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbf30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbf44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Source: global traffic

TCP traffic: 192.168.2.15:58160 -> 45.86.155.23:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.86.155.23

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5523.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5519.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5521.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5540.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5521, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5523, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5540, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/net/tcp.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc/proc/proc/%d/exe/proc/%s/statusName:%s/bin/busybox/bin/systemd/usr/bintest/tmp/condi/tmp/zxcr9999/tmp/condinetwork/var/condibot/var/zxcr9999/var/CondiBot/var/condinet/bin/watchdog45.86.155.23

Source: ELF static info symbol of initial sample

.symtab present: no

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5523.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5519.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5521.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5540.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5521, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5523, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5540, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.troj.linELF@0/0@0/0

Source: /tmp/na.elf (PID: 5519)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1333/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1695/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/911/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3874/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1591/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1585/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/804/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3407/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1484/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/133/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1479/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/931/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1595/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/812/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/933/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3419/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3310/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/262/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/142/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/263/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/264/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/265/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/145/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/266/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/267/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/268/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3303/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/269/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1486/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/1806/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/3440/status	Jump to behavior
Source: /tmp/na.elf (PID: 5519)	File opened: /proc/270/status	Jump to behavior

Source: /tmp/na.elf (PID: 5519)

Queries kernel information via 'uname':

Jump to behavior

Source: na.elf, 5519.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp, na.elf, 5521.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp, na.elf, 5523.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp, na.elf, 5540.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5519.1.000055d8bd139000.000055d8bd1c1000.rw-.sdmp, na.elf, 5521.1.000055d8bd139000.000055d8bd19d000.rw-.sdmp, na.elf, 5523.1.000055d8bd139000.000055d8bd19d000.rw-.sdmp, na.elf, 5540.1.000055d8bd139000.000055d8bd1c1000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: na.elf, 5519.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp, na.elf, 5521.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp, na.elf, 5523.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp, na.elf, 5540.1.00007ffefafd4000.00007ffefaff5000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: na.elf, 5519.1.000055d8bd139000.000055d8bd1c1000.rw-.sdmp, na.elf, 5521.1.000055d8bd139000.000055d8bd19d000.rw-.sdmp, na.elf, 5523.1.000055d8bd139000.000055d8bd19d000.rw-.sdmp, na.elf, 5540.1.000055d8bd139000.000055d8bd1c1000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5523.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5519.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5521.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5540.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5519, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5521, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5523, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5540, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: na.elf, type: SAMPLE
Source: Yara match	File source: 5523.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5519.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5521.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5540.1.00007f7750001000.00007f7750019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: na.elf PID: 5519, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5521, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5523, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: na.elf PID: 5540, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.86.155.23	unknown	Germany		202322	EVERYONE-BANDWIDTH-INCDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.86.155.23	na.elf	Get hash	malicious	Unknown	Browse
45.86.155.23	na.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EVERYONE-BANDWIDTH-INCDE	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	na.elf	Get hash	malicious	Unknown	Browse	45.86.155.23
	http://qgasyntax.com/2753402WB7192675vw697764118Il17367cC38SJr190893GZ	Get hash	malicious	Phisher	Browse	45.13.225.215
	K5P6Oe31Kq.elf	Get hash	malicious	Mirai	Browse	45.133.73.210

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.27386271018054
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	na.elf
File size:	97'552 bytes
MD5:	0238b625efdffe4d312ffc6afd840cf8
SHA1:	d88261c035ba355c7f8267fa3d68a62b3012079f
SHA256:	1f4d4fb0a1ca4abcfcaa37863fa404b78b8eac3e6ed66f6646c94053eb6da894
SHA512:	6eca6159eeb54dec4fd996f4f39752691b55f52c334e5c5749bf72ec1417eb390d3a4422a489088a4ec28dd53b981642875a247ece597ae15e15760f4d38fd15
SSDEEP:	1536:RsSFA59NqetNpGXnwzX8/EqXabQeuacWjcW0JcWcBl4rZpipI4WlV/N4zfVZolAm:GS6NqekOXqqbQeuacWjcW0JcWcBSrZpx
TLSH:	279319C7F810ED7EF80BD67748534D0E7671F2A00A930A227767BA67EC761A5142BD82
File Content Preview:	.ELF.......................D...4..{......4. ...(......................x...x....... .......x............x..*....... .dt.Q............................NV..a....da...P N^NuNV..J9...@f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........@N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	97152
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x1504a	0x0	0x6	AX	4
.fini	PROGBITS	0x800150f2	0x150f2	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80015100	0x15100	0x27c1	0x0	0x2	A	2
.ctors	PROGBITS	0x800198c8	0x178c8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x800198d0	0x178d0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x800198dc	0x178dc	0x264	0x0	0x3	WA	4
.bss	NOBITS	0x80019b40	0x17b40	0x2818	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x17b40	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x178c1	0x178c1	6.2894	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x178c8	0x800198c8	0x800198c8	0x278	0x2a90	3.6517	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 18, 2024 13:27:55.911839008 CEST	58160	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:55.917535067 CEST	3778	58160	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:55.917591095 CEST	58160	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:55.935849905 CEST	58160	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:55.940831900 CEST	3778	58160	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:55.940884113 CEST	58160	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:55.945719957 CEST	3778	58160	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:56.784873009 CEST	3778	58160	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:56.785053968 CEST	58160	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:56.785141945 CEST	58160	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:56.785716057 CEST	58162	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:56.791461945 CEST	3778	58162	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:56.791594982 CEST	58162	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:56.792581081 CEST	58162	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:56.797470093 CEST	3778	58162	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:56.797525883 CEST	58162	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:56.802397013 CEST	3778	58162	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:57.627167940 CEST	3778	58162	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:57.627363920 CEST	58162	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:57.627363920 CEST	58162	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:57.627811909 CEST	58164	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:57.632688999 CEST	3778	58164	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:57.632755041 CEST	58164	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:57.633781910 CEST	58164	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:57.638632059 CEST	3778	58164	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:57.638689995 CEST	58164	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:57.643609047 CEST	3778	58164	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:58.454508066 CEST	3778	58164	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:58.454619884 CEST	58164	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:58.454695940 CEST	58164	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:58.455250025 CEST	58166	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:58.460081100 CEST	3778	58166	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:58.460145950 CEST	58166	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:58.460939884 CEST	58166	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:58.465858936 CEST	3778	58166	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:58.465904951 CEST	58166	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:58.470779896 CEST	3778	58166	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:59.299453974 CEST	3778	58166	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:59.299562931 CEST	58166	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:59.299609900 CEST	58166	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:59.300487995 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:59.305318117 CEST	3778	58168	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:59.305397034 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:59.306143999 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:59.311038017 CEST	3778	58168	45.86.155.23	192.168.2.15
Oct 18, 2024 13:27:59.311093092 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:27:59.315896988 CEST	3778	58168	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.147074938 CEST	3778	58168	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.147113085 CEST	3778	58168	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.147279024 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.147279024 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.147279024 CEST	58168	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.147883892 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.152928114 CEST	3778	58170	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.153002977 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.153757095 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.158734083 CEST	3778	58170	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.158788919 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.163819075 CEST	3778	58170	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.992657900 CEST	3778	58170	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.992706060 CEST	3778	58170	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.993016005 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.993016005 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.993016005 CEST	58170	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.993509054 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.998626947 CEST	3778	58172	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:00.998692036 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:00.999512911 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.005759001 CEST	3778	58172	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.005815983 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.011923075 CEST	3778	58172	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.539935112 CEST	58174	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.544967890 CEST	3778	58174	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.545022964 CEST	58174	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.601846933 CEST	58174	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.606723070 CEST	3778	58174	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.606770992 CEST	58174	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.611758947 CEST	3778	58174	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.826214075 CEST	3778	58172	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.826256037 CEST	3778	58172	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.826288939 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.826333046 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.826344967 CEST	58172	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.826869965 CEST	58176	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.831775904 CEST	3778	58176	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.831845045 CEST	58176	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.832704067 CEST	58176	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.837686062 CEST	3778	58176	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:01.837737083 CEST	58176	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:01.842621088 CEST	3778	58176	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.392359972 CEST	3778	58174	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.392513990 CEST	58174	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.392653942 CEST	58174	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.393241882 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.398117065 CEST	3778	58178	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.398181915 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.399000883 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.403831005 CEST	3778	58178	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.403897047 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.408947945 CEST	3778	58178	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.677953959 CEST	3778	58176	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.678061008 CEST	58176	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.678103924 CEST	58176	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.678797960 CEST	58180	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.683692932 CEST	3778	58180	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.683763027 CEST	58180	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.685050011 CEST	58180	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.689914942 CEST	3778	58180	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:02.689965010 CEST	58180	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:02.694878101 CEST	3778	58180	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.247823000 CEST	3778	58178	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.247853994 CEST	3778	58178	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.247936010 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.247936964 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.248018026 CEST	58178	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.248553991 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.253451109 CEST	3778	58182	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.253513098 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.254342079 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.259373903 CEST	3778	58182	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.259426117 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.264370918 CEST	3778	58182	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.509926081 CEST	3778	58180	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.510019064 CEST	58180	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.510066032 CEST	58180	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.510637999 CEST	58184	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.515533924 CEST	3778	58184	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.515590906 CEST	58184	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.516486883 CEST	58184	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.521485090 CEST	3778	58184	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:03.521531105 CEST	58184	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:03.526395082 CEST	3778	58184	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.080039024 CEST	3778	58182	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.080096006 CEST	3778	58182	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.080123901 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.080147028 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.080168009 CEST	58182	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.080579996 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.085398912 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.085453987 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.086055040 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.090991974 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.091039896 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.095935106 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.355173111 CEST	3778	58184	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.355276108 CEST	58184	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.355276108 CEST	58184	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.355681896 CEST	58188	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.360994101 CEST	3778	58188	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.361051083 CEST	58188	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.361866951 CEST	58188	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.366842031 CEST	3778	58188	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:04.366908073 CEST	58188	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:04.371934891 CEST	3778	58188	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:05.197027922 CEST	3778	58188	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:05.197160959 CEST	58188	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:05.197273016 CEST	58188	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:05.197735071 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:05.203282118 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:05.203380108 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:05.204166889 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:05.209198952 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:05.209239960 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:05.214183092 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:14.096350908 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:14.101367950 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:14.338303089 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:14.338475943 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:15.209634066 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:28:15.214822054 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:15.455979109 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:28:15.456087112 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:29:14.398072004 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:29:14.405742884 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:29:14.642874002 CEST	3778	58186	45.86.155.23	192.168.2.15
Oct 18, 2024 13:29:14.642983913 CEST	58186	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:29:15.500757933 CEST	58190	3778	192.168.2.15	45.86.155.23
Oct 18, 2024 13:29:15.505861044 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:29:15.743264914 CEST	3778	58190	45.86.155.23	192.168.2.15
Oct 18, 2024 13:29:15.743608952 CEST	58190	3778	192.168.2.15	45.86.155.23

System Behavior

Analysis Process: na.elf PID: 5519, Parent PID: 5444

General

Start time (UTC):	11:27:54
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: na.elf PID: 5521, Parent PID: 5519

General

Start time (UTC):	11:27:54
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: na.elf PID: 5523, Parent PID: 5521

General

Start time (UTC):	11:27:54
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: na.elf PID: 5525, Parent PID: 5521

General

Start time (UTC):	11:27:54
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: na.elf PID: 5540, Parent PID: 5519

General

Start time (UTC):	11:28:00
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: na.elf PID: 5541, Parent PID: 5519

General

Start time (UTC):	11:28:00
Start date (UTC):	18/10/2024
Path:	/tmp/na.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: na.elf PID: 5519, Parent PID: 5444

General

Chronological Activities

Analysis Process: na.elf PID: 5521, Parent PID: 5519

General

Chronological Activities

Analysis Process: na.elf PID: 5523, Parent PID: 5521

General

Chronological Activities

Analysis Process: na.elf PID: 5525, Parent PID: 5521

General

Chronological Activities

Analysis Process: na.elf PID: 5540, Parent PID: 5519

General

Chronological Activities

Analysis Process: na.elf PID: 5541, Parent PID: 5519

General

Chronological Activities

Linux Analysis Report
na.elf