Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
armv6l.elf

Overview

General Information

Sample name:armv6l.elf
Analysis ID:1546877
MD5:ae688d68851d9b270eada996c4cf0550
SHA1:521d1c7e9b4c51a534f885a9eda780036d5433d8
SHA256:480d339e2609f68438b81e08b0bef9cb67343359f04565c543c7e69de6a54b0c
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Opens /proc/net/* files useful for finding connected devices and routers
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Suricata IDS alerts with low severity for network traffic
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1546877
Start date and time:2024-11-01 17:07:11 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 3s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:armv6l.elf
Detection:MAL
Classification:mal80.spre.troj.evad.linELF@0/1@2/0

Warnings

  • VT rate limit hit for: armv6l.elf

Runtime Messages

Command:/tmp/armv6l.elf
PID:5527
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Infected By Simps Botnet ;)
Infected By Simps Botnet ;)
Standard Error:

Process Tree

  • system is lnxubuntu20
  • armv6l.elf (PID: 5527, Parent: 5449, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/armv6l.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
    5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x49114:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49128:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x4913c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49150:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49164:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49178:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x4918c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x491a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x491b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x491c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x491dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x491f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49204:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49218:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x4922c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49240:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49254:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49268:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x4927c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x49290:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x492a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x49648:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
      5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        Click to see the 8 entries

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-01T17:07:57.916795+010028484481A Network Trojan was detected192.168.2.1550994181.214.231.15231130TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: armv6l.elfReversingLabs: Detection: 31%

        Spreading

        barindex
        Opens /proc/net/* files useful for finding connected devices and routers
        Source: /tmp/armv6l.elf (PID: 5527)Opens: /proc/net/routeJump to behavior
        Source: global trafficTCP traffic: 192.168.2.15:50994 -> 181.214.231.152:31130
        Source: Network trafficSuricata IDS: 2848448 - Severity 1 - ETPRO MALWARE Possible ELF/Various IoT Bot Style Device Checkin (unknown) : 192.168.2.15:50994 -> 181.214.231.152:31130
        Source: unknownTCP traffic detected without corresponding DNS query: 181.214.231.152
        Source: unknownTCP traffic detected without corresponding DNS query: 181.214.231.152
        Source: unknownTCP traffic detected without corresponding DNS query: 181.214.231.152
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
        Source: armv6l.elf, 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpString found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)
        Source: armv6l.elfString found in binary or memory: http://upx.sf.net
        Source: armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpString found in binary or memory: http://www.google.com/bot.html)
        Source: armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpString found in binary or memory: http://www.google.com/mobile/adsbot.html)
        Source: armv6l.elf, 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpString found in binary or memory: http://www.spidersoft.com)
        Source: armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpString found in binary or memory: https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
        Source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
        Source: Process Memory Space: armv6l.elf PID: 5527, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: armv6l.elf PID: 5527, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
        Source: Process Memory Space: armv6l.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: armv6l.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
        Source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
        Source: Process Memory Space: armv6l.elf PID: 5527, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: armv6l.elf PID: 5527, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
        Source: Process Memory Space: armv6l.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: armv6l.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
        Source: classification engineClassification label: mal80.spre.troj.evad.linELF@0/1@2/0

        Data Obfuscation

        barindex
        Sample is packed with UPX
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /tmp/armv6l.elf (PID: 5527)Log file created: /tmp/Infected.logJump to dropped file
        Source: armv6l.elfSubmission file: segment LOAD with 7.9858 entropy (max. 8.0)
        Source: /tmp/armv6l.elf (PID: 5527)Queries kernel information via 'uname': Jump to behavior
        Source: armv6l.elf, 5527.1.0000557352264000.0000557352472000.rw-.sdmp, armv6l.elf, 5529.1.0000557352264000.0000557352472000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: armv6l.elf, 5527.1.00007ffe96566000.00007ffe96587000.rw-.sdmp, armv6l.elf, 5529.1.00007ffe96566000.00007ffe96587000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: armv6l.elf, 5527.1.00007ffe96566000.00007ffe96587000.rw-.sdmp, armv6l.elf, 5529.1.00007ffe96566000.00007ffe96587000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/armv6l.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/armv6l.elf
        Source: armv6l.elf, 5527.1.0000557352264000.0000557352472000.rw-.sdmp, armv6l.elf, 5529.1.0000557352264000.0000557352472000.rw-.sdmpBinary or memory string: 'RsU!/etc/qemu-binfmt/arm

        Stealing of Sensitive Information

        barindex
        Yara detected Gafgyt
        Source: Yara matchFile source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Yara detected Mirai
        Source: Yara matchFile source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: armv6l.elf PID: 5529, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Gafgyt
        Source: Yara matchFile source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Yara detected Mirai
        Source: Yara matchFile source: 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: armv6l.elf PID: 5529, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information        		OS Credential Dumping11
        Security Software Discovery        		Remote ServicesData from Local System1
        Non-Standard Port        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
        Remote System Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact

        Malware Configuration

        No configs have been found

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        armv6l.elf32%ReversingLabsLinux.Trojan.Gafgyt

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://upx.sf.net0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        daisy.ubuntu.com
        		162.213.35.25
        		truefalse
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpfalse
            		unknown
            http://upx.sf.netarmv6l.elftrue
            • URL Reputation: safe
            		unknown
            http://www.spidersoft.com)armv6l.elf, 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpfalse
              		unknown
              http://help.yahoo.com/help/us/ysearch/slurp)armv6l.elf, 5527.1.00007f77d4017000.00007f77d4064000.r-x.sdmp, armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpfalse
                		unknown
                http://www.google.com/bot.html)armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpfalse
                  		unknown
                  http://www.google.com/mobile/adsbot.html)armv6l.elf, 5529.1.00007f77d4017000.00007f77d4064000.r-x.sdmpfalse
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    181.214.231.152
                    		unknownChile
                    		61317ASDETUKhttpwwwheficedcomGBfalse

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    181.214.231.152mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                      armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                        m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                          mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                            armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                              sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    mips64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        daisy.ubuntu.comarmv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 162.213.35.25
                                        m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 162.213.35.24
                                        debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 162.213.35.24
                                        dlr.sh4.elfGet hashmaliciousUnknownBrowse
                                        • 162.213.35.25
                                        dlr.m68k.elfGet hashmaliciousUnknownBrowse
                                        • 162.213.35.25
                                        dlr.arm5.elfGet hashmaliciousUnknownBrowse
                                        • 162.213.35.24
                                        zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                        • 162.213.35.25
                                        main_arm6.elfGet hashmaliciousMiraiBrowse
                                        • 162.213.35.24
                                        zmap.x86_64.elfGet hashmaliciousOkiruBrowse
                                        • 162.213.35.24
                                        dlr.arm.elfGet hashmaliciousUnknownBrowse
                                        • 162.213.35.25

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ASDETUKhttpwwwheficedcomGBmips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        armv5l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        meow.arm7.elfGet hashmaliciousUnknownBrowse
                                        • 64.137.31.246
                                        mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        armv6l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152
                                        mips64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 181.214.231.152

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        /tmp/Infected.log

                                        Download File
                                        Process:/tmp/armv6l.elf
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):107
                                        Entropy (8bit):4.71112089176799
                                        Encrypted:false
                                        SSDEEP:3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
                                        MD5:A70A5DDE6F79EAEA4E71C88B6A2CCC38
                                        SHA1:92C0273C4BE5D4B7BDBDD500DE5A64E5E05652B2
                                        SHA-256:D087A5A10A09B589993D8CC44A24EF22DB26FFD0FEEEB3F29B15AF008C292AF8
                                        SHA-512:AAA7D00FAA34A87292F23A16DAE8A7A4B5A40C8E375A579F1286427819C2A04E1C6F970DBC0F2433E6C03F59A2ECE0F28BA1E8FC526BC4AFE77F176F61876C52
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:Thank You For Your Services...Tips Device Has successfully Been Infected..With Malware By Simps Botnet ;)..

                                        Static File Info

                                        General

                                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
                                        Entropy (8bit):7.991055449530635
                                        TrID:
                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                        File name:armv6l.elf
                                        File size:85'200 bytes
                                        MD5:ae688d68851d9b270eada996c4cf0550
                                        SHA1:521d1c7e9b4c51a534f885a9eda780036d5433d8
                                        SHA256:480d339e2609f68438b81e08b0bef9cb67343359f04565c543c7e69de6a54b0c
                                        SHA512:fbe03b2bc040b014ad63ac90c5a415668a0014faaca236742f156569495864f8e1d9a3e57c6b028b2f735b3e46950e1dbea6961f56335be2a727e88a6f97c666
                                        SSDEEP:1536:I6maMjR+qy4rnLy9pwjhdx87oYfibFv/oiq4EYS7Hi8z42/ChsXYa4dD/:IT7jMqy4rnQwjhP80/NqrYS7p41aK
                                        TLSH:4E83023241630CBACA63493382BA09C36F174C7AD47EEA750490DFEB1565D9433F569B
                                        File Content Preview:.ELF..............(......^..4...........4. ...(..........................................>...>...>..................Q.td............................r.'.UPX!........Q-..Q-......_..........?.E.h;....#..$..............C..... ...aO...N...".%....u..pd...G.. ..

                                        Static ELF Info

                                        ELF header

                                        Class:ELF32
                                        Data:2's complement, little endian
                                        Version:1 (current)
                                        Machine:ARM
                                        Version Number:0x1
                                        Type:EXEC (Executable file)
                                        OS/ABI:UNIX - Linux
                                        ABI Version:0
                                        Entry Point Address:0x15ee8
                                        Flags:0x4000002
                                        ELF Header Size:52
                                        Program Header Offset:52
                                        Program Header Size:32
                                        Number of Program Headers:3
                                        Section Header Offset:0
                                        Section Header Size:40
                                        Number of Section Headers:0
                                        Header String Table Index:0

                                        Program Segments

                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                        LOAD0x00x80000x80000xf0d50xf0d57.98580x5R E0x8000
                                        LOAD0x3ef80x63ef80x63ef80x00x00.00000x6RW 0x8000
                                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-11-01T17:07:57.916795+01002848448ETPRO MALWARE Possible ELF/Various IoT Bot Style Device Checkin (unknown)1192.168.2.1550994181.214.231.15231130TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 1, 2024 17:07:57.898618937 CET5099431130192.168.2.15181.214.231.152
                                        Nov 1, 2024 17:07:57.916184902 CET3113050994181.214.231.152192.168.2.15
                                        Nov 1, 2024 17:07:57.916243076 CET5099431130192.168.2.15181.214.231.152
                                        Nov 1, 2024 17:07:57.916795015 CET5099431130192.168.2.15181.214.231.152
                                        Nov 1, 2024 17:07:57.937633038 CET3113050994181.214.231.152192.168.2.15

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 1, 2024 17:10:42.484244108 CET5510153192.168.2.151.1.1.1
                                        Nov 1, 2024 17:10:42.484296083 CET3549953192.168.2.151.1.1.1
                                        Nov 1, 2024 17:10:42.491391897 CET53354991.1.1.1192.168.2.15
                                        Nov 1, 2024 17:10:42.494218111 CET53551011.1.1.1192.168.2.15

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 1, 2024 17:10:42.484244108 CET192.168.2.151.1.1.10x1ca3Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                        Nov 1, 2024 17:10:42.484296083 CET192.168.2.151.1.1.10x7cf6Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 1, 2024 17:10:42.494218111 CET1.1.1.1192.168.2.150x1ca3No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                        Nov 1, 2024 17:10:42.494218111 CET1.1.1.1192.168.2.150x1ca3No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                        System Behavior

                                        General

                                        Start time (UTC):16:07:56
                                        Start date (UTC):01/11/2024
                                        Path:/tmp/armv6l.elf
                                        Arguments:/tmp/armv6l.elf
                                        File size:4956856 bytes
                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                        Chronological Activities


                                        General

                                        Start time (UTC):16:07:56
                                        Start date (UTC):01/11/2024
                                        Path:/tmp/armv6l.elf
                                        Arguments:-
                                        File size:4956856 bytes
                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                        Chronological Activities


                                        General

                                        Start time (UTC):16:07:56
                                        Start date (UTC):01/11/2024
                                        Path:/tmp/armv6l.elf
                                        Arguments:-
                                        File size:4956856 bytes
                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                        Chronological Activities