Edit tour

Linux Analysis Report
Space.arm.elf

Overview

General Information

Sample name:	Space.arm.elf
Analysis ID:	1575714
MD5:	9ce6f655eedca1fd7af2e93dc59adb6c
SHA1:	ed523f4251d1dc3d202f3bf338543acf4b4edb50
SHA256:	413cddb4fca3a1e8f1fb2ac5ebcd161a85cda41861415f91a9c5e7f116732b70
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575714
Start date and time:	2024-12-16 08:52:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.arm.elf
Detection:	MAL
Classification:	mal68.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.arm.elf
PID:	6241
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.arm.elf (PID: 6241, Parent: 6164, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Space.arm.elf

Space.arm.elf New Fork (PID: 6243, Parent: 6241)

Space.arm.elf New Fork (PID: 6245, Parent: 6243)

Space.arm.elf New Fork (PID: 6247, Parent: 6243)

Space.arm.elf New Fork (PID: 6253, Parent: 6241)

Space.arm.elf New Fork (PID: 6255, Parent: 6241)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6243.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6243.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10258:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1026c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10280:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1030c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1035c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6245.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6245.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10258:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1026c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10280:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1030c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1035c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6241.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6241.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10258:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1026c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10280:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1030c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1035c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6253.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6253.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10258:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1026c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10280:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10294:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1030c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1035c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm.elf PID: 6241	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.arm.elf PID: 6241	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1049c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x104b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x104c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x104d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x104ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10500:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10514:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10528:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1053c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10550:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10564:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10578:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1058c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm.elf PID: 6243	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.arm.elf PID: 6243	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x10ff7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1100b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1101f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11033:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11047:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1105b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1106f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11083:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11097:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x110fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1110f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11123:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11137:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1114b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1115f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11173:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x11187:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm.elf PID: 6245	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.arm.elf PID: 6245	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x36b75:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36b89:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36b9d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36bb1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36bc5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36bd9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36bed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c01:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c15:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c29:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c3d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c51:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c65:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c79:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36c8d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36ca1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36cb5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36cc9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36cdd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36cf1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36d05:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm.elf PID: 6253	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.arm.elf PID: 6253	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3c938:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c94c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c960:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c974:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c988:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c99c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c9b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c9c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c9d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c9ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3caa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cab4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cac8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Space.arm.elf

ReversingLabs: Detection: 31%

Source: global traffic

TCP traffic: 192.168.2.23:50948 -> 89.169.4.44:3778

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44

Source: Space.arm.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6243.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6245.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6241.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6253.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm.elf PID: 6241, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm.elf PID: 6243, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm.elf PID: 6245, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm.elf PID: 6253, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x8000

Source: 6243.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6245.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6241.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6253.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm.elf PID: 6241, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm.elf PID: 6243, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm.elf PID: 6245, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm.elf PID: 6253, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1582/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/3088/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1579/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1699/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1335/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1698/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1334/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1576/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/2302/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/910/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/912/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/2307/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/918/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/6241/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/6247/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1594/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1349/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1344/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1465/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1586/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1463/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1900/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/491/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1477/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/379/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1476/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/2208/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1809/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/1494/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/Space.arm.elf (PID: 6241)	File opened: /proc/261/status	Jump to behavior

Source: Space.arm.elf

Submission file: segment LOAD with 7.9645 entropy (max. 8.0)

Source: /tmp/Space.arm.elf (PID: 6241)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.arm.elf, 6241.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp, Space.arm.elf, 6243.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp, Space.arm.elf, 6245.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp, Space.arm.elf, 6253.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp	Binary or memory string: }?V!/etc/qemu-binfmt/arm
Source: Space.arm.elf, 6241.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp, Space.arm.elf, 6243.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp, Space.arm.elf, 6245.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp, Space.arm.elf, 6253.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Space.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.arm.elf
Source: Space.arm.elf, 6241.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp, Space.arm.elf, 6243.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp, Space.arm.elf, 6245.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp, Space.arm.elf, 6253.1.0000563f7dcef000.0000563f7df3d000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Space.arm.elf, 6241.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp, Space.arm.elf, 6243.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp, Space.arm.elf, 6245.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp, Space.arm.elf, 6253.1.00007fffcee0a000.00007fffcee2b000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 6243.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6245.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6253.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6241, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6243, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6245, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6253, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 6243.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6245.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6253.1.00007f4d40017000.00007f4d4002a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6241, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6243, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6245, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.arm.elf PID: 6253, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.arm.elf	32%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.arm.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
89.169.4.44	unknown	Russian Federation	31514	INF-NET-ASRU	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
89.169.4.44	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse
91.189.91.43	m68k.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	m68k.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	bin.sh.elf	Get hash	malicious	Mirai	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	spc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	bin.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	spc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	m68k.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
INF-NET-ASRU	jade.m68k.elf	Get hash	malicious	Mirai	Browse	89.169.156.74
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	87.228.10.139
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
INIT7CH	m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	bin.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	spc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	m68k.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy (8bit):	7.962510011719269
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Space.arm.elf
File size:	36'824 bytes
MD5:	9ce6f655eedca1fd7af2e93dc59adb6c
SHA1:	ed523f4251d1dc3d202f3bf338543acf4b4edb50
SHA256:	413cddb4fca3a1e8f1fb2ac5ebcd161a85cda41861415f91a9c5e7f116732b70
SHA512:	a19fcb4690c88e560300abf678a0628a80dee48b1b450e712189e2caa62fa39ab18f932acd45d94daff2678ec2d3d6fd0be3852f006c8b09f354ce16d6bb6937
SSDEEP:	768:qQKd4TIv86wHqEGBFePMdayb0zDWX5pq2sJbBi9s3UozD:qQKSIbtYMHaDy5p/sZBiAzD
TLSH:	79F2F1213111BDF4EA20093BCF7A854AE39A41755256714D1A2847FEA0CF7C6A9BC3F3
File Content Preview:	.ELF...a..........(.....8...4...........4. ...(..........................................Y...Y...Y..................Q.td............................s.y.UPX!........@5..@5......T..........?.E.h;.}...^..........f(...j.l..0z.$..G.sB......y...G.."b..k{......0

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0xfd38
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x8ee7	0x8ee7	7.9645	0x5	R E	0x8000
LOAD	0x5990	0x25990	0x25990	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:52:57.055347919 CET	43928	443	192.168.2.23	91.189.91.42
Dec 16, 2024 08:52:58.376679897 CET	50948	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:58.496556044 CET	3778	50948	89.169.4.44	192.168.2.23
Dec 16, 2024 08:52:58.496611118 CET	50948	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:58.529234886 CET	50948	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:58.649028063 CET	3778	50948	89.169.4.44	192.168.2.23
Dec 16, 2024 08:52:58.649075031 CET	50948	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:58.768802881 CET	3778	50948	89.169.4.44	192.168.2.23
Dec 16, 2024 08:52:59.818886995 CET	3778	50948	89.169.4.44	192.168.2.23
Dec 16, 2024 08:52:59.819148064 CET	50948	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:59.819222927 CET	50948	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:59.820497990 CET	50950	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:59.940319061 CET	3778	50950	89.169.4.44	192.168.2.23
Dec 16, 2024 08:52:59.940455914 CET	50950	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:52:59.941474915 CET	50950	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:00.061270952 CET	3778	50950	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:00.061414957 CET	50950	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:00.181484938 CET	3778	50950	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:01.288767099 CET	3778	50950	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:01.288921118 CET	50950	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:01.288965940 CET	50950	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:01.289586067 CET	50952	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:01.409329891 CET	3778	50952	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:01.409451962 CET	50952	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:01.410516024 CET	50952	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:01.530270100 CET	3778	50952	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:01.530551910 CET	50952	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:01.650348902 CET	3778	50952	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:02.686510086 CET	42836	443	192.168.2.23	91.189.91.43
Dec 16, 2024 08:53:02.733477116 CET	3778	50952	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:02.733771086 CET	50952	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:02.733771086 CET	50952	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:02.734321117 CET	50954	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:02.854320049 CET	3778	50954	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:02.854631901 CET	50954	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:02.855669975 CET	50954	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:02.975388050 CET	3778	50954	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:02.975584984 CET	50954	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:03.095347881 CET	3778	50954	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.176393986 CET	3778	50954	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.176668882 CET	50954	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.176668882 CET	50954	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.179079056 CET	50956	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.222260952 CET	42516	80	192.168.2.23	109.202.202.202
Dec 16, 2024 08:53:04.299264908 CET	3778	50956	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.299540997 CET	50956	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.301316023 CET	50956	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.383841038 CET	50958	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.421008110 CET	3778	50956	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.421058893 CET	50956	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.503729105 CET	3778	50958	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.503796101 CET	50958	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.516699076 CET	50958	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.540946007 CET	3778	50956	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.636460066 CET	3778	50958	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:04.636503935 CET	50958	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:04.756266117 CET	3778	50958	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:05.681570053 CET	3778	50956	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:05.681862116 CET	50956	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.681862116 CET	50956	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.682712078 CET	50960	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.926378965 CET	3778	50960	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:05.926435947 CET	3778	50958	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:05.926501989 CET	50958	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.926598072 CET	50960	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.926809072 CET	50958	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.928019047 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:05.928356886 CET	50960	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:06.047796965 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:06.048067093 CET	3778	50960	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:06.048075914 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:06.048109055 CET	50960	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:06.049889088 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:06.167814970 CET	3778	50960	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:06.169567108 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:06.169630051 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:06.289258957 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.254077911 CET	3778	50960	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.254424095 CET	50960	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.254424095 CET	50960	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.255158901 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.370800972 CET	3778	50962	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.370915890 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.371092081 CET	50962	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.371711016 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.376049042 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.376112938 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.377115011 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.491780043 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.491976023 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.493129015 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.497383118 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.497466087 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.615459919 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.615679026 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:07.618624926 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:07.737272024 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:08.701514959 CET	3778	50964	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:08.701855898 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.701855898 CET	50964	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.702933073 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.817248106 CET	3778	50966	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:08.817462921 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.817464113 CET	50966	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.818391085 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.822868109 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:08.822928905 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.824243069 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.938296080 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:08.938402891 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.939616919 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:08.944720030 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:08.944775105 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:09.059391975 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:09.059525967 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:09.064482927 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:09.179600000 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.145822048 CET	3778	50968	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.146095037 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.146095037 CET	50968	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.146962881 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.262852907 CET	3778	50970	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.263008118 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.263128996 CET	50970	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.264095068 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.268043995 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.268178940 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.269522905 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.384072065 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.384365082 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.386970997 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.390212059 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.390284061 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.508456945 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.508708000 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:10.510970116 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:10.629529953 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.593203068 CET	3778	50972	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.593550920 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.593693972 CET	50972	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.594557047 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.714628935 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.714757919 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.716057062 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.732601881 CET	3778	50974	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.732863903 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.732994080 CET	50974	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.733838081 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.835809946 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.835937023 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.853610039 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.853693008 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.855722904 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:11.955712080 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.975605965 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:11.975684881 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:12.095556021 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.037823915 CET	3778	50976	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.038017035 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.038079977 CET	50976	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.039450884 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.159231901 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.159394026 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.161169052 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.177268028 CET	3778	50978	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.177350044 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.177382946 CET	50978	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.177982092 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.280838013 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.281174898 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.297619104 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.297720909 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.299995899 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.400918961 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.419645071 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:13.419763088 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:13.539604902 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.486569881 CET	3778	50980	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.486869097 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.486869097 CET	50980	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.487734079 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.607517004 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.607664108 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.609591007 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.622806072 CET	3778	50982	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.622891903 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.622977018 CET	50982	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.623820066 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.729370117 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.729506969 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.743541956 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.743633032 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.745513916 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.849304914 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.865216970 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:14.865319967 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:14.985023975 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:15.935436010 CET	3778	50984	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:15.935781956 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:15.935867071 CET	50984	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:15.936845064 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.056652069 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:16.056880951 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.058547020 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.078193903 CET	3778	50986	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:16.078295946 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.078392029 CET	50986	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.079083920 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.178298950 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:16.178594112 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.198781013 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:16.198932886 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.200645924 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.298780918 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:16.320429087 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:16.320560932 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:16.440378904 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.381793976 CET	3778	50988	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.382117987 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.382215977 CET	50988	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.383122921 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.502898932 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.503004074 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.504056931 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.522588015 CET	3778	50990	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.522651911 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.522686958 CET	50990	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.523293018 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.623855114 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.624037027 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.643060923 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.643203974 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.644702911 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.743834019 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.764477015 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:17.764601946 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:17.788410902 CET	43928	443	192.168.2.23	91.189.91.42
Dec 16, 2024 08:53:17.884325027 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:18.835520983 CET	3778	50992	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:18.835866928 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.835866928 CET	50992	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.836541891 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.956249952 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:18.956474066 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.957667112 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.962879896 CET	3778	50994	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:18.962939024 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.963093042 CET	50994	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:18.963865995 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:19.077666998 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:19.077868938 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:19.083658934 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:19.083800077 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:19.086384058 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:19.197556019 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:19.205997944 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:19.206096888 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:19.325751066 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:20.304342031 CET	3778	50996	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:20.304491997 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:20.304577112 CET	50996	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:20.305514097 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:20.426124096 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:20.426259995 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:20.428196907 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:20.548181057 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:20.548374891 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:20.668056965 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:21.757014990 CET	3778	51000	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:21.757180929 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:21.757230043 CET	51000	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:21.757884026 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:21.877492905 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:21.877615929 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:21.879739046 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:21.999445915 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:21.999582052 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:22.119404078 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:23.204006910 CET	3778	51002	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:23.204297066 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:23.204332113 CET	51002	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:23.205090046 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:23.324920893 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:23.325088978 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:23.326656103 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:23.446386099 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:23.446500063 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:23.566450119 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:24.650015116 CET	3778	51004	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:24.650279045 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:24.650368929 CET	51004	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:24.651122093 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:24.770997047 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:24.771289110 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:24.773094893 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:24.894023895 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:24.894469023 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:25.014445066 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:26.100296974 CET	3778	51006	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:26.100610018 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:26.100708961 CET	51006	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:26.101630926 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:26.221470118 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:26.221605062 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:26.223050117 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:26.344434977 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:26.344676971 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:26.464468002 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:29.095598936 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:29.215356112 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:29.530354023 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:29.530813932 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:30.074773073 CET	42836	443	192.168.2.23	91.189.91.43
Dec 16, 2024 08:53:34.170365095 CET	42516	80	192.168.2.23	109.202.202.202
Dec 16, 2024 08:53:36.232198954 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:36.352121115 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:36.665839911 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:53:36.666028023 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:53:58.743009090 CET	43928	443	192.168.2.23	91.189.91.42
Dec 16, 2024 08:54:29.577186108 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:54:29.696918011 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:54:30.011630058 CET	3778	50998	89.169.4.44	192.168.2.23
Dec 16, 2024 08:54:30.011796951 CET	50998	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:54:36.713610888 CET	51008	3778	192.168.2.23	89.169.4.44
Dec 16, 2024 08:54:36.833751917 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:54:37.147658110 CET	3778	51008	89.169.4.44	192.168.2.23
Dec 16, 2024 08:54:37.147790909 CET	51008	3778	192.168.2.23	89.169.4.44

System Behavior

Analysis Process: Space.arm.elf PID: 6241, Parent PID: 6164

General

Start time (UTC):	07:52:57
Start date (UTC):	16/12/2024
Path:	/tmp/Space.arm.elf
Arguments:	/tmp/Space.arm.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm.elf PID: 6243, Parent PID: 6241

General

Start time (UTC):	07:52:57
Start date (UTC):	16/12/2024
Path:	/tmp/Space.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm.elf PID: 6245, Parent PID: 6243

General

Start time (UTC):	07:52:57
Start date (UTC):	16/12/2024
Path:	/tmp/Space.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm.elf PID: 6247, Parent PID: 6243

General

Start time (UTC):	07:52:57
Start date (UTC):	16/12/2024
Path:	/tmp/Space.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm.elf PID: 6253, Parent PID: 6241

General

Start time (UTC):	07:53:03
Start date (UTC):	16/12/2024
Path:	/tmp/Space.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm.elf PID: 6255, Parent PID: 6241

General

Start time (UTC):	07:53:03
Start date (UTC):	16/12/2024
Path:	/tmp/Space.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.arm.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.arm.elf PID: 6241, Parent PID: 6164

General

Chronological Activities

Analysis Process: Space.arm.elf PID: 6243, Parent PID: 6241

General

Chronological Activities

Analysis Process: Space.arm.elf PID: 6245, Parent PID: 6243

General

Chronological Activities

Analysis Process: Space.arm.elf PID: 6247, Parent PID: 6243

General

Chronological Activities

Analysis Process: Space.arm.elf PID: 6253, Parent PID: 6241

General

Chronological Activities

Analysis Process: Space.arm.elf PID: 6255, Parent PID: 6241

General

Chronological Activities

Linux Analysis Report
Space.arm.elf