Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:na.elf
Analysis ID:1536984
MD5:12abe9d0cd482540f7f3962132569ba0
SHA1:28b58e5f0951f6fd79e9b7cd952eb90b49bad5b9
SHA256:15aaa0165ccc891bee856bdd4bebbe365cdad9aefad42907beb031de41641bfa
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1536984
Start date and time:2024-10-18 13:31:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:na.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: na.elf

Runtime Messages

Command:/tmp/na.elf
PID:5550
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

  • system is lnxubuntu20
  • na.elf (PID: 5550, Parent: 5468, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/na.elf
    • na.elf New Fork (PID: 5552, Parent: 5550)
      • na.elf New Fork (PID: 5554, Parent: 5552)
      • na.elf New Fork (PID: 5556, Parent: 5552)
    • na.elf New Fork (PID: 5564, Parent: 5550)
    • na.elf New Fork (PID: 5565, Parent: 5550)
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5550.1.00007f5f40400000.00007f5f4042a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5564.1.00007f5f40400000.00007f5f4042a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5554.1.00007f5f40400000.00007f5f4042a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5552.1.00007f5f40400000.00007f5f4042a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: na.elf PID: 5550Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x660:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x674:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x688:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x69c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x6b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x6c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x6d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x6ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x700:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x714:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x728:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x73c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: na.elfAvira: detected
Source: global trafficTCP traffic: 192.168.2.15:58160 -> 45.86.155.23:3778
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.86.155.23
Source: na.elfString found in binary or memory: http://upx.sf.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 5550.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5564.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5554.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5552.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5550, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5552, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5554, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: na.elf PID: 5564, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0x100000
Source: 5550.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5564.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5554.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5552.1.00007f5f40400000.00007f5f4042a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5550, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5552, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5554, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: na.elf PID: 5564, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/na.elf (PID: 5550)File opened: /proc/5385/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/110/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/231/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/111/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/112/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/233/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/113/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/114/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/235/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/115/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1333/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/116/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1695/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/117/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/118/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/119/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/911/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/914/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/10/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/917/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/11/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/12/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/13/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/14/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/15/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/16/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/17/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/18/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/19/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1591/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/120/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/121/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/122/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/243/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/2/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/123/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/124/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1588/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/125/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/4/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/246/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/126/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/5/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/127/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/6/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1585/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/128/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/7/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/129/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/8/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/800/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/9/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/802/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/803/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/804/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3887/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/20/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/21/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3407/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/22/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/23/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/24/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/25/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/26/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/27/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/28/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/29/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1484/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/490/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/250/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/130/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/251/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/131/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/132/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/133/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1479/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/378/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/258/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/259/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/931/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1595/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/812/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/933/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/30/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3419/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/35/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3310/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/260/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/261/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/262/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/142/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/263/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/264/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/265/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/145/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/266/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/267/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/268/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3303/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/269/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1486/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/1806/statusJump to behavior
Source: /tmp/na.elf (PID: 5550)File opened: /proc/3440/statusJump to behavior
Source: na.elfSubmission file: segment LOAD with 7.9463 entropy (max. 8.0)
Source: /tmp/na.elf (PID: 5550)Queries kernel information via 'uname': Jump to behavior
Source: na.elf, 5550.1.00005592dee9b000.00005592def43000.rw-.sdmp, na.elf, 5552.1.00005592dee9b000.00005592def43000.rw-.sdmp, na.elf, 5554.1.00005592dee9b000.00005592def43000.rw-.sdmp, na.elf, 5564.1.00005592dee9b000.00005592def43000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: na.elf, 5550.1.00005592dee9b000.00005592def43000.rw-.sdmp, na.elf, 5552.1.00005592dee9b000.00005592def43000.rw-.sdmp, na.elf, 5554.1.00005592dee9b000.00005592def43000.rw-.sdmp, na.elf, 5564.1.00005592dee9b000.00005592def43000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: na.elf, 5550.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmp, na.elf, 5552.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmp, na.elf, 5554.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmp, na.elf, 5564.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: na.elf, 5550.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmp, na.elf, 5552.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmp, na.elf, 5554.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmp, na.elf, 5564.1.00007ffe6500d000.00007ffe6502e000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/na.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/na.elf

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536984 Sample: na.elf Startdate: 18/10/2024 Architecture: LINUX Score: 60 20 45.86.155.23, 3778, 58160, 58162 EVERYONE-BANDWIDTH-INCDE Germany 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Sample is packed with UPX 2->26 8 na.elf 2->8         started        signatures3 process4 process5 10 na.elf 8->10         started        12 na.elf 8->12         started        14 na.elf 8->14         started        process6 16 na.elf 10->16         started        18 na.elf 10->18         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
na.elf100%AviraEXP/ELF.Agent.M.28

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netna.elftrue
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
45.86.155.23
unknownGermany
202322EVERYONE-BANDWIDTH-INCDEfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
45.86.155.23na.elfGet hashmaliciousUnknownBrowse
    na.elfGet hashmaliciousUnknownBrowse
      na.elfGet hashmaliciousMiraiBrowse
        na.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousUnknownBrowse

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            EVERYONE-BANDWIDTH-INCDEna.elfGet hashmaliciousUnknownBrowse
            • 45.86.155.23
            na.elfGet hashmaliciousUnknownBrowse
            • 45.86.155.23
            na.elfGet hashmaliciousMiraiBrowse
            • 45.86.155.23
            na.elfGet hashmaliciousUnknownBrowse
            • 45.86.155.23
            na.elfGet hashmaliciousUnknownBrowse
            • 45.86.155.23
            http://qgasyntax.com/2753402WB7192675vw697764118Il17367cC38SJr190893GZGet hashmaliciousPhisherBrowse
            • 45.13.225.215
            K5P6Oe31Kq.elfGet hashmaliciousMiraiBrowse
            • 45.133.73.210

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
            Entropy (8bit):7.943721799481312
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:na.elf
            File size:44'352 bytes
            MD5:12abe9d0cd482540f7f3962132569ba0
            SHA1:28b58e5f0951f6fd79e9b7cd952eb90b49bad5b9
            SHA256:15aaa0165ccc891bee856bdd4bebbe365cdad9aefad42907beb031de41641bfa
            SHA512:d08a545bd94044a8c27c96b7cf38c6c16667cc67ed76b5b2d16aebea6839f1a20a978e8444cc7eaf3412b0fa07921e12b7a78ef7d60e89e581dce020c079c75d
            SSDEEP:768:4QdzLFMbXkqyyxwmGFm3qsSPhkj96MiKrecs6cDtyO5XnQDiV+Wq:nPmwqBOc31LNrecs6KtPXQDiVu
            TLSH:B713E14E96E2EE55CCDF943A70CD13624E92B1C264271FDCA3589C8CA855CCABCCD4B5
            File Content Preview:.ELF........................4...........4. ...(...............................................C...C.....................UPX!d...................V..........?.E.h;....#......b.L#>g7.9f......1....F.....f.u.(L.X.Ak..8......~.Dl0..Wl../... ..il...&..........p?

            Static ELF Info

            ELF header

            Class:ELF32
            Data:2's complement, little endian
            Version:1 (current)
            Machine:MIPS R3000
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - System V
            ABI Version:0
            Entry Point Address:0x1098d8
            Flags:0x1007
            ELF Header Size:52
            Program Header Offset:52
            Program Header Size:32
            Number of Program Headers:2
            Section Header Offset:0
            Section Header Size:40
            Number of Section Headers:0
            Header String Table Index:0

            Program Segments

            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x1000000x1000000xac150xac157.94630x5R E0x10000
            LOAD0xaffc0x43affc0x43affc0x00x00.00000x6RW 0x10000

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 18, 2024 13:32:07.238086939 CEST581603778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:07.243160963 CEST37785816045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:07.243217945 CEST581603778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:07.247957945 CEST581603778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:07.252998114 CEST37785816045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:07.253042936 CEST581603778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:07.258728981 CEST37785816045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.070635080 CEST37785816045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.070748091 CEST581603778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.070974112 CEST581603778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.071537018 CEST581623778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.078135967 CEST37785816245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.078201056 CEST581623778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.078958988 CEST581623778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.085457087 CEST37785816245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.085612059 CEST581623778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.093421936 CEST37785816245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.913906097 CEST37785816245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.914047956 CEST581623778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.914047956 CEST581623778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.914657116 CEST581643778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.920948029 CEST37785816445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.921036959 CEST581643778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.922108889 CEST581643778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.928401947 CEST37785816445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:08.928456068 CEST581643778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:08.934925079 CEST37785816445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:09.754682064 CEST37785816445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:09.754796028 CEST581643778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:09.754955053 CEST581643778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:09.755475044 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:09.760303020 CEST37785816645.86.155.23192.168.2.15
            Oct 18, 2024 13:32:09.760359049 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:09.761097908 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:09.765989065 CEST37785816645.86.155.23192.168.2.15
            Oct 18, 2024 13:32:09.766036987 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:09.976754904 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.024486065 CEST37785816645.86.155.23192.168.2.15
            Oct 18, 2024 13:32:10.024501085 CEST37785816645.86.155.23192.168.2.15
            Oct 18, 2024 13:32:10.614032030 CEST37785816645.86.155.23192.168.2.15
            Oct 18, 2024 13:32:10.614156008 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.614206076 CEST581663778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.614701986 CEST581683778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.619592905 CEST37785816845.86.155.23192.168.2.15
            Oct 18, 2024 13:32:10.619673014 CEST581683778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.620755911 CEST581683778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.625683069 CEST37785816845.86.155.23192.168.2.15
            Oct 18, 2024 13:32:10.625731945 CEST581683778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:10.630661964 CEST37785816845.86.155.23192.168.2.15
            Oct 18, 2024 13:32:11.465385914 CEST37785816845.86.155.23192.168.2.15
            Oct 18, 2024 13:32:11.465570927 CEST581683778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:11.465617895 CEST581683778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:11.466109037 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:11.471050024 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:11.471098900 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:11.471805096 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:11.476726055 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:11.476773977 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:11.481617928 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:12.904635906 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:12.909497976 CEST37785817245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:12.909568071 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:12.935121059 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:12.939958096 CEST37785817245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:12.940010071 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:12.944917917 CEST37785817245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:14.329293966 CEST37785817245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:14.329454899 CEST37785817245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:14.329515934 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.329515934 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.330003023 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.330569029 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.331330061 CEST37785817245.86.155.23192.168.2.15
            Oct 18, 2024 13:32:14.331404924 CEST581723778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.335520029 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:14.335597992 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.336425066 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.341397047 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:14.341461897 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:14.346242905 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:21.481822014 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:21.486780882 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:21.731268883 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:32:21.731420994 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:24.344655991 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:32:24.350637913 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:24.588923931 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:32:24.589050055 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:33:21.790416002 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:33:21.800581932 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:33:22.044923067 CEST37785817045.86.155.23192.168.2.15
            Oct 18, 2024 13:33:22.045039892 CEST581703778192.168.2.1545.86.155.23
            Oct 18, 2024 13:33:24.636591911 CEST581743778192.168.2.1545.86.155.23
            Oct 18, 2024 13:33:24.643044949 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:33:24.881617069 CEST37785817445.86.155.23192.168.2.15
            Oct 18, 2024 13:33:24.881724119 CEST581743778192.168.2.1545.86.155.23

            System Behavior

            General

            Start time (UTC):11:32:05
            Start date (UTC):18/10/2024
            Path:/tmp/na.elf
            Arguments:/tmp/na.elf
            File size:5773336 bytes
            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

            Chronological Activities


            General

            Start time (UTC):11:32:06
            Start date (UTC):18/10/2024
            Path:/tmp/na.elf
            Arguments:-
            File size:5773336 bytes
            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

            Chronological Activities


            General

            Start time (UTC):11:32:06
            Start date (UTC):18/10/2024
            Path:/tmp/na.elf
            Arguments:-
            File size:5773336 bytes
            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

            Chronological Activities


            General

            Start time (UTC):11:32:06
            Start date (UTC):18/10/2024
            Path:/tmp/na.elf
            Arguments:-
            File size:5773336 bytes
            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

            Chronological Activities


            General

            Start time (UTC):11:32:11
            Start date (UTC):18/10/2024
            Path:/tmp/na.elf
            Arguments:-
            File size:5773336 bytes
            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

            Chronological Activities


            General

            Start time (UTC):11:32:11
            Start date (UTC):18/10/2024
            Path:/tmp/na.elf
            Arguments:-
            File size:5773336 bytes
            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

            Chronological Activities