Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
dwhdbg.elf

Overview

General Information

Sample name:dwhdbg.elf
Analysis ID:1544620
MD5:a7eec647038e9a100134b683d0f0d31d
SHA1:85baa63d9fc7e335b9fd57af2bd91f4f1c7b5337
SHA256:44d54f43424eef8e490a5069d0b39307335762ffe1907714c0338c1a1e7ff7c6
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai, Okiru
Score:96
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Yara detected Okiru
Machine Learning detection for sample
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544620
Start date and time:2024-10-29 16:35:27 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:dwhdbg.elf
Detection:MAL
Classification:mal96.troj.evad.linELF@0/0@8/0
  • VT rate limit hit for: dwhdbg.elf
Command:/tmp/dwhdbg.elf
PID:5430
Exit Code:
Exit Code Info:
Killed:True
Standard Output:
about to cum inside a femboy btw
Standard Error:cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
cant remove reboot function.
: No such file or directory
  • system is lnxubuntu20
  • dwhdbg.elf (PID: 5430, Parent: 5355, MD5: a7eec647038e9a100134b683d0f0d31d) Arguments: /tmp/dwhdbg.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
dwhdbg.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    dwhdbg.elfJoeSecurity_OkiruYara detected OkiruJoe Security
      dwhdbg.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        dwhdbg.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0x192c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x192d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x192e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x192fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19310:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19324:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19338:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1934c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19360:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19374:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19388:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1939c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x193b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x193c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x193d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x193ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1943c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x19450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        dwhdbg.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
        • 0xfbd8:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
        Click to see the 12 entries
        SourceRuleDescriptionAuthorStrings
        5430.1.0000000000400000.000000000041e000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
          5430.1.0000000000400000.000000000041e000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
            5430.1.0000000000400000.000000000041e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              5430.1.0000000000400000.000000000041e000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
              • 0x192c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x192d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x192e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x192fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19310:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19324:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19338:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x1934c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19360:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19374:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19388:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x1939c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x193b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x193c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x193d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x193ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x1943c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x19450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              5430.1.0000000000400000.000000000041e000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
              • 0xfbd8:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
              Click to see the 15 entries
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: dwhdbg.elfAvira: detected
              Source: dwhdbg.elfReversingLabs: Detection: 50%
              Source: dwhdbg.elfJoe Sandbox ML: detected
              Source: dwhdbg.elfString: A/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/(kovey/locker) process with pid %d (%s) found and killed.
              Source: global trafficTCP traffic: 192.168.2.13:36318 -> 213.232.235.18:33966
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: raw.eye-network.ru
              Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

              System Summary

              barindex
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_449937aa Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_449937aa Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
              Source: Process Memory Space: dwhdbg.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Initial sampleString containing 'busybox' found: /bin/busybox
              Source: Initial sampleString containing 'busybox' found: A/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/(kovey/locker) process with pid %d (%s) found and killed.
              Source: ELF static info symbol of initial sample.symtab present: no
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_449937aa reference_sample = 6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = cf2c6b86830099f039b41aeaafbffedfb8294a1124c499e99a11f48a06cd1dfd, id = 449937aa-682a-4906-89ab-80d7127e461e, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
              Source: dwhdbg.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_449937aa reference_sample = 6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = cf2c6b86830099f039b41aeaafbffedfb8294a1124c499e99a11f48a06cd1dfd, id = 449937aa-682a-4906-89ab-80d7127e461e, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
              Source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
              Source: Process Memory Space: dwhdbg.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: classification engineClassification label: mal96.troj.evad.linELF@0/0@8/0
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/230/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/110/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/231/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/111/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/232/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/112/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/233/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/113/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/234/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/114/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/235/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/115/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/236/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/116/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/237/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/117/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/238/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/118/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/239/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/119/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/914/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/10/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/917/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/11/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/5272/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/12/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/13/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/14/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/15/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/16/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/17/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/18/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/19/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/240/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/3095/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/120/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/241/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/121/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/242/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/122/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/243/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/2/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/123/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/244/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/3/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/124/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/245/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1588/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/125/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/4/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/246/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/126/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/5/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/247/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/127/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/6/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/248/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/128/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/7/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/249/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/129/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/8/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/800/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/9/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1906/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/802/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/803/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/20/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/21/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/22/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/23/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/24/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/25/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/26/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/27/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/28/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/29/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/3420/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1482/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/490/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1480/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/250/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/371/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/130/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/251/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/131/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/252/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/132/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/253/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/254/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1238/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/134/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/255/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/256/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/257/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/378/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/3413/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/258/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/259/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/1475/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/936/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/30/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/816/cmdlineJump to behavior
              Source: /tmp/dwhdbg.elf (PID: 5431)File opened: /proc/35/cmdlineJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: /tmp/dwhdbg.elf (PID: 5430)File: /tmp/dwhdbg.elfJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: dwhdbg.elf, type: SAMPLE
              Source: Yara matchFile source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: dwhdbg.elf, type: SAMPLE
              Source: Yara matchFile source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dwhdbg.elf PID: 5430, type: MEMORYSTR
              Source: Yara matchFile source: dwhdbg.elf, type: SAMPLE
              Source: Yara matchFile source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dwhdbg.elf PID: 5430, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: dwhdbg.elf, type: SAMPLE
              Source: Yara matchFile source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: dwhdbg.elf, type: SAMPLE
              Source: Yara matchFile source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dwhdbg.elf PID: 5430, type: MEMORYSTR
              Source: Yara matchFile source: dwhdbg.elf, type: SAMPLE
              Source: Yara matchFile source: 5430.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: dwhdbg.elf PID: 5430, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting
              Valid AccountsWindows Management Instrumentation1
              Scripting
              Path Interception1
              File Deletion
              1
              OS Credential Dumping
              System Service DiscoveryRemote ServicesData from Local System1
              Non-Standard Port
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              No configs have been found
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet
              SourceDetectionScannerLabelLink
              dwhdbg.elf50%ReversingLabsLinux.Backdoor.Mirai
              dwhdbg.elf100%AviraEXP/ELF.Mirai.Z.A
              dwhdbg.elf100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              NameIPActiveMaliciousAntivirus DetectionReputation
              raw.eye-network.ru
              213.232.235.18
              truefalse
                unknown
                daisy.ubuntu.com
                162.213.35.25
                truefalse
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  213.232.235.18
                  raw.eye-network.ruRussian Federation
                  39824ALMANET-ASKZfalse
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  213.232.235.18wriww68k.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                    vqsjh4.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                      wheiuwa4.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                        jwwofba5.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                          qkbfi86.elfGet hashmaliciousMirai, OkiruBrowse
                            qkehusl.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                              vkjqpc.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                vqsjh4.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                  jwwofba5.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                    qkehusl.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      raw.eye-network.ruqkehusl.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      vkjqpc.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      qkehusl.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      daisy.ubuntu.comx86.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.25
                                      arm5.elfGet hashmaliciousMiraiBrowse
                                      • 162.213.35.25
                                      ppc.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.24
                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.25
                                      zmap.x86_64.elfGet hashmaliciousOkiruBrowse
                                      • 162.213.35.25
                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                      • 162.213.35.24
                                      debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 162.213.35.25
                                      gmips.elfGet hashmaliciousMiraiBrowse
                                      • 162.213.35.25
                                      garm6.elfGet hashmaliciousMiraiBrowse
                                      • 162.213.35.24
                                      arm.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.25
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ALMANET-ASKZwriww68k.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      vqsjh4.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      wheiuwa4.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      jwwofba5.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      qkbfi86.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 213.232.235.18
                                      qkehusl.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      vkjqpc.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      vqsjh4.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      jwwofba5.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      qkehusl.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                      • 213.232.235.18
                                      No context
                                      No context
                                      No created / dropped files found
                                      File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                      Entropy (8bit):5.353607189613862
                                      TrID:
                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                      File name:dwhdbg.elf
                                      File size:156'120 bytes
                                      MD5:a7eec647038e9a100134b683d0f0d31d
                                      SHA1:85baa63d9fc7e335b9fd57af2bd91f4f1c7b5337
                                      SHA256:44d54f43424eef8e490a5069d0b39307335762ffe1907714c0338c1a1e7ff7c6
                                      SHA512:550a48c5899a13314fcfe7f6b38e5ce8e184eefee88d06fc4db3c8f224f6888fc9bf6a79f646c49ef4e3418d57df64e1070b81e8fdfc10e604d32be5a652d28a
                                      SSDEEP:3072:qbhZsLegb9GlgYF+m5KGeLa1TWlpIdwRnX38DYpOgKsb8miAA2:qbhZsLegbslgYF+0qICuYphPA2
                                      TLSH:44E35B07B4D188FDC4DAC0744BAEA537DD71F0AD0238B26B27D0EE222E5EE315A5DA54
                                      File Content Preview:.ELF..............>.......@.....@.......X_..........@.8...@.......................@.......@.....`.......`.......................h.......h.Q.....h.Q.............................Q.td....................................................H...._....z...H........

                                      ELF header

                                      Class:ELF64
                                      Data:2's complement, little endian
                                      Version:1 (current)
                                      Machine:Advanced Micro Devices X86-64
                                      Version Number:0x1
                                      Type:EXEC (Executable file)
                                      OS/ABI:UNIX - System V
                                      ABI Version:0
                                      Entry Point Address:0x400194
                                      Flags:0x0
                                      ELF Header Size:64
                                      Program Header Offset:64
                                      Program Header Size:56
                                      Number of Program Headers:3
                                      Section Header Offset:155480
                                      Section Header Size:64
                                      Number of Section Headers:10
                                      Header String Table Index:9
                                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                      NULL0x00x00x00x00x0000
                                      .initPROGBITS0x4000e80xe80x130x00x6AX001
                                      .textPROGBITS0x4001000x1000x18aa60x00x6AX0016
                                      .finiPROGBITS0x418ba60x18ba60xe0x00x6AX001
                                      .rodataPROGBITS0x418bc00x18bc00x44a00x00x2A0032
                                      .ctorsPROGBITS0x51d0680x1d0680x180x00x3WA008
                                      .dtorsPROGBITS0x51d0800x1d0800x100x00x3WA008
                                      .dataPROGBITS0x51d0a00x1d0a00x8e780x00x3WA0032
                                      .bssNOBITS0x525f200x25f180x72600x00x3WA0032
                                      .shstrtabSTRTAB0x00x25f180x3e0x00x0001
                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                      LOAD0x00x4000000x4000000x1d0600x1d0606.39000x5R E0x100000.init .text .fini .rodata
                                      LOAD0x1d0680x51d0680x51d0680x8eb00x101180.25640x6RW 0x100000.ctors .dtors .data .bss
                                      GNU_STACK0x00x00x00x00x00.00000x6RW 0x8
                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 29, 2024 16:36:07.569570065 CET3631833966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:07.575088024 CET3396636318213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:07.575139999 CET3631833966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:07.577018976 CET3631833966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:07.582355022 CET3396636318213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:07.582401037 CET3631833966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:07.588042021 CET3396636318213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:08.496953011 CET3396636318213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:08.497030020 CET3631833966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:08.497071028 CET3631833966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:08.531332016 CET3632033966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:08.536861897 CET3396636320213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:08.536917925 CET3632033966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:08.538866043 CET3632033966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:08.544234037 CET3396636320213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:08.544351101 CET3632033966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:08.549859047 CET3396636320213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:09.453860044 CET3396636320213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:09.453949928 CET3632033966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:09.454016924 CET3632033966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:09.475337029 CET3632233966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:09.482384920 CET3396636322213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:09.482522964 CET3632233966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:09.484976053 CET3632233966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:09.490431070 CET3396636322213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:09.498519897 CET3632233966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:09.504673004 CET3396636322213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:52.446584940 CET3632233966192.168.2.13213.232.235.18
                                      Oct 29, 2024 16:36:52.453892946 CET3396636322213.232.235.18192.168.2.13
                                      Oct 29, 2024 16:36:52.453969002 CET3632233966192.168.2.13213.232.235.18
                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 29, 2024 16:36:07.547148943 CET4250153192.168.2.138.8.8.8
                                      Oct 29, 2024 16:36:07.558329105 CET53425018.8.8.8192.168.2.13
                                      Oct 29, 2024 16:36:07.560251951 CET4752853192.168.2.138.8.8.8
                                      Oct 29, 2024 16:36:07.568670034 CET53475288.8.8.8192.168.2.13
                                      Oct 29, 2024 16:36:08.499011993 CET3830253192.168.2.138.8.8.8
                                      Oct 29, 2024 16:36:08.520603895 CET53383028.8.8.8192.168.2.13
                                      Oct 29, 2024 16:36:08.522830009 CET4112853192.168.2.138.8.8.8
                                      Oct 29, 2024 16:36:08.530395985 CET53411288.8.8.8192.168.2.13
                                      Oct 29, 2024 16:36:09.455924988 CET4082253192.168.2.138.8.8.8
                                      Oct 29, 2024 16:36:09.464512110 CET53408228.8.8.8192.168.2.13
                                      Oct 29, 2024 16:36:09.466448069 CET4475553192.168.2.138.8.8.8
                                      Oct 29, 2024 16:36:09.474332094 CET53447558.8.8.8192.168.2.13
                                      Oct 29, 2024 16:38:52.516812086 CET5236853192.168.2.131.1.1.1
                                      Oct 29, 2024 16:38:52.516942978 CET3722053192.168.2.131.1.1.1
                                      Oct 29, 2024 16:38:52.524074078 CET53523681.1.1.1192.168.2.13
                                      Oct 29, 2024 16:38:52.524154902 CET53372201.1.1.1192.168.2.13
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 29, 2024 16:36:07.547148943 CET192.168.2.138.8.8.80x649fStandard query (0)raw.eye-network.ruA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:07.560251951 CET192.168.2.138.8.8.80x17b7Standard query (0)raw.eye-network.ruA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:08.499011993 CET192.168.2.138.8.8.80x755bStandard query (0)raw.eye-network.ruA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:08.522830009 CET192.168.2.138.8.8.80x835fStandard query (0)raw.eye-network.ruA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:09.455924988 CET192.168.2.138.8.8.80x589Standard query (0)raw.eye-network.ruA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:09.466448069 CET192.168.2.138.8.8.80x724aStandard query (0)raw.eye-network.ruA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:38:52.516812086 CET192.168.2.131.1.1.10xbd98Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:38:52.516942978 CET192.168.2.131.1.1.10x7a3Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 29, 2024 16:36:07.558329105 CET8.8.8.8192.168.2.130x649fNo error (0)raw.eye-network.ru213.232.235.18A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:07.568670034 CET8.8.8.8192.168.2.130x17b7No error (0)raw.eye-network.ru213.232.235.18A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:08.520603895 CET8.8.8.8192.168.2.130x755bNo error (0)raw.eye-network.ru213.232.235.18A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:08.530395985 CET8.8.8.8192.168.2.130x835fNo error (0)raw.eye-network.ru213.232.235.18A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:09.464512110 CET8.8.8.8192.168.2.130x589No error (0)raw.eye-network.ru213.232.235.18A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:36:09.474332094 CET8.8.8.8192.168.2.130x724aNo error (0)raw.eye-network.ru213.232.235.18A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:38:52.524074078 CET1.1.1.1192.168.2.130xbd98No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                      Oct 29, 2024 16:38:52.524074078 CET1.1.1.1192.168.2.130xbd98No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                      System Behavior

                                      Start time (UTC):15:36:06
                                      Start date (UTC):29/10/2024
                                      Path:/tmp/dwhdbg.elf
                                      Arguments:/tmp/dwhdbg.elf
                                      File size:156120 bytes
                                      MD5 hash:a7eec647038e9a100134b683d0f0d31d

                                      Start time (UTC):15:36:06
                                      Start date (UTC):29/10/2024
                                      Path:/tmp/dwhdbg.elf
                                      Arguments:-
                                      File size:156120 bytes
                                      MD5 hash:a7eec647038e9a100134b683d0f0d31d