Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
Space.x86_64.elf

Overview

General Information

Sample name:Space.x86_64.elf
Analysis ID:1575720
MD5:f9cdbd1b6359b49143356cf79ac094ab
SHA1:e3679e2b4c1e536529aa0e59b25a2d51314d6fa4
SHA256:821e40e9f4161f17ead134c4b3dd0c687176a3afa317ecf283bccb9d24dfee5f
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1575720
Start date and time:2024-12-16 08:57:15 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Space.x86_64.elf
Detection:MAL
Classification:mal72.troj.evad.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: Space.x86_64.elf

Runtime Messages

Command:/tmp/Space.x86_64.elf
PID:5439
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5425, Parent: 3581)
  • rm (PID: 5425, Parent: 3581, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.pspRE6OOGo /tmp/tmp.yhSteEd987 /tmp/tmp.B8LXfgiwJK
  • dash New Fork (PID: 5426, Parent: 3581)
  • rm (PID: 5426, Parent: 3581, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.pspRE6OOGo /tmp/tmp.yhSteEd987 /tmp/tmp.B8LXfgiwJK
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5441.1.0000000000400000.0000000000412000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    5441.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0xe918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe92c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe97c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe9a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe9b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe9cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe9e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe9f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xea94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xeaa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    5441.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
    • 0x9d48:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
    5441.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
    • 0xa537:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
    5441.1.0000000000400000.0000000000412000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
    • 0x76c2:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    • 0x77d0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    Click to see the 58 entries

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Space.x86_64.elfReversingLabs: Detection: 39%
    Machine Learning detection for sample
    Source: Space.x86_64.elfJoe Sandbox ML: detected
    Source: global trafficTCP traffic: 192.168.2.13:48182 -> 89.169.4.44:3778
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: unknownTCP traffic detected without corresponding DNS query: 89.169.4.44
    Source: Space.x86_64.elfString found in binary or memory: http://upx.sf.net

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 Author: unknown
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
    Source: Process Memory Space: Space.x86_64.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: Process Memory Space: Space.x86_64.elf PID: 5440, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: Process Memory Space: Space.x86_64.elf PID: 5441, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: Process Memory Space: Space.x86_64.elf PID: 5445, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
    Source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
    Source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
    Source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_520deeb8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f4dfd1d76e07ff875eedfe0ef4f861bee1e4d8e66d68385f602f29cc35e30cca, id = 520deeb8-cbc0-4225-8d23-adba5e040471, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_6a77af0f os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 4e436f509e7e732e3d0326bcbdde555bba0653213ddf31b43cfdfbe16abb0016, id = 6a77af0f-31fa-4793-82aa-10b065ba1ec0, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_01e4a728 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = d90477364982bdc6cd22079c245d866454475749f762620273091f2fab73c196, id = 01e4a728-7c1c-479b-aed0-cb76d64dbb02, last_modified = 2021-09-16
    Source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
    Source: Process Memory Space: Space.x86_64.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: Process Memory Space: Space.x86_64.elf PID: 5440, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: Process Memory Space: Space.x86_64.elf PID: 5441, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: Process Memory Space: Space.x86_64.elf PID: 5445, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: classification engineClassification label: mal72.troj.evad.linELF@0/0@0/0

    Data Obfuscation

    barindex
    Sample is packed with UPX
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/5384/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/3761/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/230/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/110/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/231/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/111/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/232/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/112/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/233/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/113/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/234/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/114/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/235/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/115/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/236/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/116/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/237/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/117/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/238/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/118/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/239/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/119/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/3631/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/914/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/10/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/917/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/11/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/12/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/13/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/14/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/15/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/16/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/17/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/18/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/5279/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/19/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/240/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/3095/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/120/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/241/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/121/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/242/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/122/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/243/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/2/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/123/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/244/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/3/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/124/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/245/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1588/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/125/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/4/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/246/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/126/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/5/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/247/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/127/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/6/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/248/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/128/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/7/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/249/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/129/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/8/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/800/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/9/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1906/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/802/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/803/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/20/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/21/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/22/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/23/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/24/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/25/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/26/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/27/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/28/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/29/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/3420/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1482/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/490/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1480/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/250/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/371/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/130/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/251/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/131/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/252/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/132/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/253/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/254/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1238/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/134/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/255/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/256/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/257/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/378/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/3413/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/258/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/259/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/1475/statusJump to behavior
    Source: /tmp/Space.x86_64.elf (PID: 5439)File opened: /proc/936/statusJump to behavior
    Source: /usr/bin/dash (PID: 5425)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.pspRE6OOGo /tmp/tmp.yhSteEd987 /tmp/tmp.B8LXfgiwJKJump to behavior
    Source: /usr/bin/dash (PID: 5426)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.pspRE6OOGo /tmp/tmp.yhSteEd987 /tmp/tmp.B8LXfgiwJKJump to behavior
    Source: Space.x86_64.elfSubmission file: segment LOAD with 7.9612 entropy (max. 8.0)

    Stealing of Sensitive Information

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Space.x86_64.elf PID: 5439, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Space.x86_64.elf PID: 5440, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Space.x86_64.elf PID: 5445, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected Mirai
    Source: Yara matchFile source: 5441.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5440.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5445.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5439.1.0000000000400000.0000000000412000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Space.x86_64.elf PID: 5439, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Space.x86_64.elf PID: 5440, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: Space.x86_64.elf PID: 5445, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
    Obfuscated Files or Information    		1
    OS Credential Dumping    		System Service DiscoveryRemote ServicesData from Local System1
    Non-Standard Port    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    File Deletion    		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575720 Sample: Space.x86_64.elf Startdate: 16/12/2024 Architecture: LINUX Score: 72 22 89.169.4.44, 3778, 48182, 48184 INF-NET-ASRU Russian Federation 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Mirai 2->28 30 2 other signatures 2->30 8 dash rm Space.x86_64.elf 2->8         started        10 dash rm 2->10         started        signatures3 process4 process5 12 Space.x86_64.elf 8->12         started        14 Space.x86_64.elf 8->14         started        16 Space.x86_64.elf 8->16         started        process6 18 Space.x86_64.elf 12->18         started        20 Space.x86_64.elf 12->20         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Space.x86_64.elf39%ReversingLabsLinux.Backdoor.Mirai
    Space.x86_64.elf100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netSpace.x86_64.elffalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      89.169.4.44
      		unknownRussian Federation
      		31514INF-NET-ASRUfalse

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      89.169.4.44Space.x86.elfGet hashmaliciousMiraiBrowse
        Space.arm.elfGet hashmaliciousMiraiBrowse
          Space.sh4.elfGet hashmaliciousMiraiBrowse
            boatnet.ppc.elfGet hashmaliciousMiraiBrowse
              boatnet.arm.elfGet hashmaliciousMiraiBrowse
                boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                    boatnet.x86.elfGet hashmaliciousMiraiBrowse
                      boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                        boatnet.spc.elfGet hashmaliciousMiraiBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          INF-NET-ASRUSpace.x86.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          Space.arm.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          Space.sh4.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          jade.m68k.elfGet hashmaliciousMiraiBrowse
                          • 89.169.156.74
                          https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==Get hashmaliciousUnknownBrowse
                          • 87.228.10.139
                          boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          boatnet.arm.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          boatnet.mips.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44
                          boatnet.x86.elfGet hashmaliciousMiraiBrowse
                          • 89.169.4.44

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                          Entropy (8bit):7.959260263830477
                          TrID:
                          • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                          File name:Space.x86_64.elf
                          File size:36'924 bytes
                          MD5:f9cdbd1b6359b49143356cf79ac094ab
                          SHA1:e3679e2b4c1e536529aa0e59b25a2d51314d6fa4
                          SHA256:821e40e9f4161f17ead134c4b3dd0c687176a3afa317ecf283bccb9d24dfee5f
                          SHA512:43e08f3009b19180aeae6e8d92101fdc10cc039cf81c6f108ccf1348d0862eb9ae4533becc68b1d6d5f964cc70255c704a2a33b545ed36173d5e9e30d51dae20
                          SSDEEP:768:nkjvsa/voIrDuWYZHmqtdE4lNlsqC9h0+oNYXlL+Bq+TaO9OsV723NZ4n38h7Ux6:uzHz5i5lbEDoNeCwCY43lMZv
                          TLSH:35F2E1EBD63FD8B6ED3B41B39964876472A1A0C7B80517F2095C537B8C6363D2844B92
                          File Content Preview:.ELF..............>......~......@...................@.8...@.....................................<.......<................................VQ......VQ.............................Q.td....................................................BGI.UPX!D.......P'..P'.

                          Static ELF Info

                          ELF header

                          Class:ELF64
                          Data:2's complement, little endian
                          Version:1 (current)
                          Machine:Advanced Micro Devices X86-64
                          Version Number:0x1
                          Type:EXEC (Executable file)
                          OS/ABI:UNIX - System V
                          ABI Version:0
                          Entry Point Address:0x107e00
                          Flags:0x0
                          ELF Header Size:64
                          Program Header Offset:64
                          Program Header Size:56
                          Number of Program Headers:3
                          Section Header Offset:0
                          Section Header Size:64
                          Number of Section Headers:0
                          Header String Table Index:0

                          Program Segments

                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                          LOAD0x00x1000000x1000000x8f3c0x8f3c7.96120x5R E0x100000
                          LOAD0x6e80x5156e80x5156e80x00x00.00000x6RW 0x1000
                          GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Dec 16, 2024 08:57:58.225020885 CET481823778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:58.345242023 CET37784818289.169.4.44192.168.2.13
                          Dec 16, 2024 08:57:58.345315933 CET481823778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:58.346550941 CET481823778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:58.466413021 CET37784818289.169.4.44192.168.2.13
                          Dec 16, 2024 08:57:58.466464043 CET481823778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:58.586251020 CET37784818289.169.4.44192.168.2.13
                          Dec 16, 2024 08:57:59.678077936 CET37784818289.169.4.44192.168.2.13
                          Dec 16, 2024 08:57:59.678448915 CET481823778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:59.678448915 CET481823778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:59.679263115 CET481843778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:59.799963951 CET37784818489.169.4.44192.168.2.13
                          Dec 16, 2024 08:57:59.800085068 CET481843778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:59.802627087 CET481843778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:57:59.922552109 CET37784818489.169.4.44192.168.2.13
                          Dec 16, 2024 08:57:59.922776937 CET481843778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:00.042686939 CET37784818489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:01.120785952 CET37784818489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:01.120965004 CET481843778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:01.121081114 CET481843778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:01.121670961 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:01.241599083 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:01.241771936 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:01.242918968 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:01.362807989 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:01.362946987 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:01.483036995 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:03.807540894 CET481883778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:03.927850008 CET37784818889.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:03.927989006 CET481883778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:03.928975105 CET481883778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:04.048721075 CET37784818889.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:04.049040079 CET481883778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:04.169329882 CET37784818889.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:05.257425070 CET37784818889.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:05.257592916 CET481883778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:05.257592916 CET481883778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:05.258519888 CET481903778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:05.378582001 CET37784819089.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:05.378895044 CET481903778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:05.380050898 CET481903778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:05.499842882 CET37784819089.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:05.499965906 CET481903778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:05.619859934 CET37784819089.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:06.702800035 CET37784819089.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:06.703094006 CET481903778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:06.703094959 CET481903778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:06.704545975 CET481923778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:06.824637890 CET37784819289.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:06.824784040 CET481923778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:06.826203108 CET481923778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:06.948420048 CET37784819289.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:06.948537111 CET481923778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:07.068422079 CET37784819289.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:08.146600962 CET37784819289.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:08.146971941 CET481923778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:08.146971941 CET481923778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:08.148196936 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:08.270118952 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:08.270289898 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:08.272118092 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:08.392007113 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:08.392260075 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:08.513345957 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:11.251913071 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:11.372355938 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:11.686817884 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:11.687016964 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:18.282296896 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:58:18.402638912 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:18.716177940 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:58:18.716403008 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:59:11.738882065 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:59:11.859405994 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:59:12.173803091 CET37784818689.169.4.44192.168.2.13
                          Dec 16, 2024 08:59:12.174145937 CET481863778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:59:18.765988111 CET481943778192.168.2.1389.169.4.44
                          Dec 16, 2024 08:59:18.886843920 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:59:19.200982094 CET37784819489.169.4.44192.168.2.13
                          Dec 16, 2024 08:59:19.201378107 CET481943778192.168.2.1389.169.4.44

                          System Behavior

                          General

                          Start time (UTC):07:57:48
                          Start date (UTC):16/12/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Chronological Activities


                          General

                          Start time (UTC):07:57:48
                          Start date (UTC):16/12/2024
                          Path:/usr/bin/rm
                          Arguments:rm -f /tmp/tmp.pspRE6OOGo /tmp/tmp.yhSteEd987 /tmp/tmp.B8LXfgiwJK
                          File size:72056 bytes
                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                          Chronological Activities


                          General

                          Start time (UTC):07:57:48
                          Start date (UTC):16/12/2024
                          Path:/usr/bin/dash
                          Arguments:-
                          File size:129816 bytes
                          MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                          Chronological Activities


                          General

                          Start time (UTC):07:57:48
                          Start date (UTC):16/12/2024
                          Path:/usr/bin/rm
                          Arguments:rm -f /tmp/tmp.pspRE6OOGo /tmp/tmp.yhSteEd987 /tmp/tmp.B8LXfgiwJK
                          File size:72056 bytes
                          MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                          Chronological Activities


                          General

                          Start time (UTC):07:57:57
                          Start date (UTC):16/12/2024
                          Path:/tmp/Space.x86_64.elf
                          Arguments:/tmp/Space.x86_64.elf
                          File size:36924 bytes
                          MD5 hash:f9cdbd1b6359b49143356cf79ac094ab

                          Chronological Activities


                          General

                          Start time (UTC):07:57:57
                          Start date (UTC):16/12/2024
                          Path:/tmp/Space.x86_64.elf
                          Arguments:-
                          File size:36924 bytes
                          MD5 hash:f9cdbd1b6359b49143356cf79ac094ab

                          Chronological Activities


                          General

                          Start time (UTC):07:57:57
                          Start date (UTC):16/12/2024
                          Path:/tmp/Space.x86_64.elf
                          Arguments:-
                          File size:36924 bytes
                          MD5 hash:f9cdbd1b6359b49143356cf79ac094ab

                          Chronological Activities


                          General

                          Start time (UTC):07:57:57
                          Start date (UTC):16/12/2024
                          Path:/tmp/Space.x86_64.elf
                          Arguments:-
                          File size:36924 bytes
                          MD5 hash:f9cdbd1b6359b49143356cf79ac094ab

                          Chronological Activities


                          General

                          Start time (UTC):07:58:03
                          Start date (UTC):16/12/2024
                          Path:/tmp/Space.x86_64.elf
                          Arguments:-
                          File size:36924 bytes
                          MD5 hash:f9cdbd1b6359b49143356cf79ac094ab

                          Chronological Activities


                          General

                          Start time (UTC):07:58:03
                          Start date (UTC):16/12/2024
                          Path:/tmp/Space.x86_64.elf
                          Arguments:-
                          File size:36924 bytes
                          MD5 hash:f9cdbd1b6359b49143356cf79ac094ab

                          Chronological Activities