Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1536982
MD5:e34fc9c8ebd7b51c24cf7c82a65e071b
SHA1:341fe5ae36c096c333ad2a43295abbae8b78b321
SHA256:0c749e55b39c2d686d2b2988069e686f78de4b954ec37405b2cd6726df16b615
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1536982
Start date and time:2024-10-18 13:31:02 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal56.linELF@0/0@0/0
  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:5428
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5428, Parent: 5350, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/na.elf
    • na.elf New Fork (PID: 5430, Parent: 5428)
      • na.elf New Fork (PID: 5432, Parent: 5430)
      • na.elf New Fork (PID: 5434, Parent: 5430)
    • na.elf New Fork (PID: 5438, Parent: 5428)
    • na.elf New Fork (PID: 5439, Parent: 5428)
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
na.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

SourceRuleDescriptionAuthorStrings
5428.1.00007fdb48400000.00007fdb48414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5432.1.00007fdb48400000.00007fdb48414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5430.1.00007fdb48400000.00007fdb48414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5438.1.00007fdb48400000.00007fdb48414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5428Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x1edd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1ef1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f05:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f19:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f2d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f41:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f55:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f69:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f7d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1f91:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1fa5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1fb9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1fcd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1fe1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1ff5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2009:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x201d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2031:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2045:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2059:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x206d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: na.elfAvira: detected
Source: global trafficTCP traffic: 192.168.2.13:51028 -> 45.86.155.23:3778
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23

System Summary

barindex
Source: na.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5428.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5432.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5430.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5438.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5428, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5432, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5438, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Initial sampleString containing 'busybox' found: /bin/busybox
Source: Initial sampleString containing 'busybox' found: /proc/net/tcp.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc/proc/proc/%d/exe/proc/%s/statusrName:%s/bin/busybox/bin/systemd/usr/bintest/tmp/condi/tmp/zxcr9999/tmp/condinetwork/var/condibot/var/zxcr9999/var/CondiBot/var/condinet/bin/watchdog45.86.155.23
Source: ELF static info symbol of initial sample.symtab present: no
Source: na.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5428.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5432.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5430.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5438.1.00007fdb48400000.00007fdb48414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5428, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5432, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5438, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal56.linELF@0/0@0/0
Source: /tmp/na.elf (PID: 5428)File opened: /proc/230/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/110/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/231/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/111/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/232/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/112/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/233/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/113/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/234/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/114/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/235/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/115/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/236/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/116/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/237/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/117/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/238/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/118/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/239/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/119/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/3631/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/914/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/10/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/917/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/11/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/12/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/13/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/14/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/15/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/16/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/17/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/18/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/19/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/240/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/3095/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/120/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/241/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/121/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/242/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/122/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/243/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/2/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/123/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/244/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/3/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/124/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/245/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1588/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/125/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/4/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/246/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/126/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/5/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/247/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/127/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/6/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/248/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/128/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/7/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/249/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/129/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/8/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/800/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/5269/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/9/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1906/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/802/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/803/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/20/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/21/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/22/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/23/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/24/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/25/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/26/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/27/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/28/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/29/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/3420/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1482/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/490/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1480/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/250/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/371/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/130/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/251/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/131/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/252/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/132/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/253/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/254/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1238/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/134/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/255/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/256/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/257/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/378/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/3413/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/258/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/259/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/1475/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/936/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/30/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)File opened: /proc/816/statusJump to behavior
Source: /tmp/na.elf (PID: 5428)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5428.1.00007fff303ee000.00007fff3040f000.rw-.sdmp, na.elf, 5430.1.00007fff303ee000.00007fff3040f000.rw-.sdmp, na.elf, 5432.1.00007fff303ee000.00007fff3040f000.rw-.sdmp, na.elf, 5438.1.00007fff303ee000.00007fff3040f000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: na.elf, 5428.1.00005619ed6b6000.00005619ed740000.rw-.sdmp, na.elf, 5430.1.00005619ed6b6000.00005619ed719000.rw-.sdmp, na.elf, 5432.1.00005619ed6b6000.00005619ed719000.rw-.sdmp, na.elf, 5438.1.00005619ed6b6000.00005619ed740000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: na.elf, 5428.1.00007fff303ee000.00007fff3040f000.rw-.sdmp, na.elf, 5430.1.00007fff303ee000.00007fff3040f000.rw-.sdmp, na.elf, 5432.1.00007fff303ee000.00007fff3040f000.rw-.sdmp, na.elf, 5438.1.00007fff303ee000.00007fff3040f000.rw-.sdmpBinary or memory string: lx86_64/usr/bin/qemu-sh4/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf
Source: na.elf, 5428.1.00005619ed6b6000.00005619ed740000.rw-.sdmp, na.elf, 5430.1.00005619ed6b6000.00005619ed719000.rw-.sdmp, na.elf, 5432.1.00005619ed6b6000.00005619ed719000.rw-.sdmp, na.elf, 5438.1.00005619ed6b6000.00005619ed740000.rw-.sdmpBinary or memory string: V5!/etc/qemu-binfmt/sh4

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536982 Sample: na.elf Startdate: 18/10/2024 Architecture: LINUX Score: 56 20 45.86.155.23, 3778, 51028, 51030 EVERYONE-BANDWIDTH-INCDE Germany 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 8 na.elf 2->8         started        signatures3 process4 process5 10 na.elf 8->10         started        12 na.elf 8->12         started        14 na.elf 8->14         started        process6 16 na.elf 10->16         started        18 na.elf 10->18         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf100%AviraLINUX/Mirai.bonb

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
45.86.155.23
unknownGermany
202322EVERYONE-BANDWIDTH-INCDEfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
45.86.155.23na.elfGet hashmaliciousUnknownBrowse
    na.elfGet hashmaliciousMiraiBrowse
      na.elfGet hashmaliciousUnknownBrowse
        na.elfGet hashmaliciousUnknownBrowse

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          EVERYONE-BANDWIDTH-INCDEna.elfGet hashmaliciousUnknownBrowse
          • 45.86.155.23
          na.elfGet hashmaliciousMiraiBrowse
          • 45.86.155.23
          na.elfGet hashmaliciousUnknownBrowse
          • 45.86.155.23
          na.elfGet hashmaliciousUnknownBrowse
          • 45.86.155.23
          http://qgasyntax.com/2753402WB7192675vw697764118Il17367cC38SJr190893GZGet hashmaliciousPhisherBrowse
          • 45.13.225.215
          K5P6Oe31Kq.elfGet hashmaliciousMiraiBrowse
          • 45.133.73.210

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
          Entropy (8bit):6.603097236379764
          TrID:
          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
          File name:na.elf
          File size:82'652 bytes
          MD5:e34fc9c8ebd7b51c24cf7c82a65e071b
          SHA1:341fe5ae36c096c333ad2a43295abbae8b78b321
          SHA256:0c749e55b39c2d686d2b2988069e686f78de4b954ec37405b2cd6726df16b615
          SHA512:c32c1d214f814622b49a381bccbad95ecfd9a12009a68fbd9adbb34cb7c32aff8be5a6ce76b0e9e39d89d485163013782ef65e44f48f6943c2ebf4fa718fb35a
          SSDEEP:1536:DWRU/uih+nyazXUcMnYVohwH5wX6SNmTdEyRPr:DR/F+nyazXenY66L5dRD
          TLSH:5F839E61F0142CE5C9660674F0F8ED35471369F123A52CB26EEEE9A188F368DF44AF94
          File Content Preview:.ELF..............*.......@.4...LA......4. ...(...............@...@.L4..L4...............@...@B..@B.0...............Q.td..............................././"O.n......#.*@........#.*@L...&O.n.l..................................././.../.a"O.!...n...a.b("...q.

          Static ELF Info

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:<unknown>
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - System V
          ABI Version:0
          Entry Point Address:0x4001a0
          Flags:0xc
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:3
          Section Header Offset:82252
          Section Header Size:40
          Number of Section Headers:10
          Header String Table Index:9

          Sections

          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
          NULL0x00x00x00x00x0000
          .initPROGBITS0x4000940x940x2e0x00x6AX004
          .textPROGBITS0x4000e00xe00x10e600x00x6AX0032
          .finiPROGBITS0x410f400x10f400x220x00x6AX004
          .rodataPROGBITS0x410f640x10f640x24e80x00x2A004
          .ctorsPROGBITS0x4240dc0x140dc0x80x00x3WA004
          .dtorsPROGBITS0x4240e40x140e40x80x00x3WA004
          .dataPROGBITS0x4240f00x140f00x1c0x00x3WA004
          .bssNOBITS0x42410c0x1410c0xaec0x00x3WA004
          .shstrtabSTRTAB0x00x1410c0x3e0x00x0001

          Program Segments

          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x4000000x4000000x1344c0x1344c6.77530x5R E0x10000.init .text .fini .rodata
          LOAD0x140dc0x4240dc0x4240dc0x300xb1c2.47110x6RW 0x10000.ctors .dtors .data .bss
          GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

          Network Behavior

          Download Network PCAP: filteredfull

          TimestampSource PortDest PortSource IPDest IP
          Oct 18, 2024 13:31:45.153894901 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:45.160018921 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:31:45.160085917 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:45.191576958 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:45.197962046 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:31:45.198005915 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:45.203680038 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:31:50.797076941 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:50.802020073 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:31:50.802084923 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:50.836519003 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:50.841604948 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:31:50.841655970 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:50.847358942 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:31:55.193785906 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:31:55.198903084 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:31:55.466681957 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:31:55.466885090 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:32:00.847084045 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:32:00.853647947 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:32:01.088334084 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:32:01.088531017 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:32:55.527903080 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:32:55.533442974 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:32:55.769865990 CEST37785102845.86.155.23192.168.2.13
          Oct 18, 2024 13:32:55.770065069 CEST510283778192.168.2.1345.86.155.23
          Oct 18, 2024 13:33:01.148926973 CEST510303778192.168.2.1345.86.155.23
          Oct 18, 2024 13:33:01.153784990 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:33:01.389496088 CEST37785103045.86.155.23192.168.2.13
          Oct 18, 2024 13:33:01.389653921 CEST510303778192.168.2.1345.86.155.23

          System Behavior

          General

          Start time (UTC):11:31:43
          Start date (UTC):18/10/2024
          Path:/tmp/na.elf
          Arguments:/tmp/na.elf
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          File Activities

          Process Activities

          System Activities

          Network Activities


          General

          Start time (UTC):11:31:44
          Start date (UTC):18/10/2024
          Path:/tmp/na.elf
          Arguments:-
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          Process Activities


          General

          Start time (UTC):11:31:44
          Start date (UTC):18/10/2024
          Path:/tmp/na.elf
          Arguments:-
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          File Activities

          Process Activities


          General

          Start time (UTC):11:31:44
          Start date (UTC):18/10/2024
          Path:/tmp/na.elf
          Arguments:-
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          Process Activities

          Network Activities


          General

          Start time (UTC):11:31:49
          Start date (UTC):18/10/2024
          Path:/tmp/na.elf
          Arguments:-
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          File Activities

          Process Activities


          General

          Start time (UTC):11:31:49
          Start date (UTC):18/10/2024
          Path:/tmp/na.elf
          Arguments:-
          File size:4139976 bytes
          MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

          Process Activities

          Network Activities