Edit tour

Linux Analysis Report
Space.mpsl.elf

Overview

General Information

Sample name:	Space.mpsl.elf
Analysis ID:	1575726
MD5:	1117e2c5a98d68c484fd112dab8f93c6
SHA1:	752445f32f9bc8387d51c38a6c91f9b7ad67cdf6
SHA256:	083aba1f74c9302697ab2c7442799b4bb7f0cd77d4fc8310f2460a9c087f3704
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575726
Start date and time:	2024-12-16 09:05:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.mpsl.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.mpsl.elf
PID:	5572
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.mpsl.elf (PID: 5572, Parent: 5498, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/Space.mpsl.elf

Space.mpsl.elf New Fork (PID: 5574, Parent: 5572)

Space.mpsl.elf New Fork (PID: 5576, Parent: 5574)

Space.mpsl.elf New Fork (PID: 5578, Parent: 5574)

Space.mpsl.elf New Fork (PID: 5584, Parent: 5572)

Space.mpsl.elf New Fork (PID: 5586, Parent: 5572)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5576.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5576.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5572.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5572.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5584.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5584.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5574.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5574.1.00007f47a4400000.00007f47a4418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5572	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mpsl.elf PID: 5572	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x307:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x31b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x32f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x343:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x357:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x36b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x37f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x393:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x40b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x41f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x433:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x447:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x45b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5574	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mpsl.elf PID: 5574	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xa6a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa6ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa6ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa6e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa6f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa70a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa71e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa732:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa746:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa75a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa76e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa782:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa796:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa80e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa822:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa836:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5576	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mpsl.elf PID: 5576	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xb16:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb52:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb66:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb7a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb8e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xba2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbb6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbca:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbde:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbf2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc06:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc1a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc2e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc42:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc56:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc7e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc92:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5584	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.mpsl.elf PID: 5584	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x49fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4aae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ac2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ad6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4aea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4afe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b12:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b26:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b3a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b4e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b62:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b76:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b8a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Space.mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Space.mpsl.elf	Virustotal: Detection: 41%			Perma Link
Source: Space.mpsl.elf	ReversingLabs: Detection: 42%

Source: global traffic

TCP traffic: 192.168.2.15:57084 -> 89.169.4.44:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44
Source: unknown	TCP traffic detected without corresponding DNS query: 89.169.4.44

Source: Space.mpsl.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5576.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5572.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5584.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5574.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5572, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5574, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5576, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5584, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5576.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5572.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5584.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5574.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5572, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5574, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5576, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5584, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1333/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1695/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/911/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1591/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1585/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/804/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3407/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1484/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/133/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1479/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/931/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1595/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/812/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/933/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3898/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3419/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3310/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/262/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/142/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/263/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/264/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/265/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/145/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/266/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/267/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/268/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3303/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/269/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1486/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/1806/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3681/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5572)	File opened: /proc/3683/status	Jump to behavior

Source: Space.mpsl.elf

Submission file: segment LOAD with 7.9319 entropy (max. 8.0)

Source: /tmp/Space.mpsl.elf (PID: 5572)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.mpsl.elf, 5572.1.0000557d817c8000.0000557d8186f000.rw-.sdmp, Space.mpsl.elf, 5574.1.0000557d817c8000.0000557d8186f000.rw-.sdmp, Space.mpsl.elf, 5576.1.0000557d817c8000.0000557d8186f000.rw-.sdmp, Space.mpsl.elf, 5584.1.0000557d817c8000.0000557d8186f000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Space.mpsl.elf, 5572.1.0000557d817c8000.0000557d8186f000.rw-.sdmp, Space.mpsl.elf, 5574.1.0000557d817c8000.0000557d8186f000.rw-.sdmp, Space.mpsl.elf, 5576.1.0000557d817c8000.0000557d8186f000.rw-.sdmp, Space.mpsl.elf, 5584.1.0000557d817c8000.0000557d8186f000.rw-.sdmp	Binary or memory string: }U!/etc/qemu-binfmt/mipsel
Source: Space.mpsl.elf, 5572.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp, Space.mpsl.elf, 5574.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp, Space.mpsl.elf, 5576.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp, Space.mpsl.elf, 5584.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/Space.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.mpsl.elf
Source: Space.mpsl.elf, 5572.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp, Space.mpsl.elf, 5574.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp, Space.mpsl.elf, 5576.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp, Space.mpsl.elf, 5584.1.00007fff82b92000.00007fff82bb3000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5576.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5572.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5584.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5574.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5574, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5584, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5576.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5572.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5584.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5574.1.00007f47a4400000.00007f47a4418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5574, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.mpsl.elf PID: 5584, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.mpsl.elf	41%	Virustotal		Browse
Space.mpsl.elf	42%	ReversingLabs	Linux.Trojan.Mirai
Space.mpsl.elf	100%	Avira	EXP/ELF.Agent.M.28

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.mpsl.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.169.4.44	unknown	Russian Federation		31514	INF-NET-ASRU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
89.169.4.44	Space.ppc.elf	Get hash	malicious	Mirai	Browse
	Space.arm7.elf	Get hash	malicious	Mirai	Browse
	Space.i686.elf	Get hash	malicious	Mirai	Browse
	Space.m68k.elf	Get hash	malicious	Mirai	Browse
	Space.spc.elf	Get hash	malicious	Mirai	Browse
	Space.x86_64.elf	Get hash	malicious	Mirai	Browse
	Space.mips.elf	Get hash	malicious	Mirai	Browse
	Space.x86.elf	Get hash	malicious	Mirai	Browse
	Space.arm.elf	Get hash	malicious	Mirai	Browse
	Space.sh4.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INF-NET-ASRU	Space.ppc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.arm7.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.i686.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.m68k.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.spc.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.x86_64.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.mips.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.x86.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.arm.elf	Get hash	malicious	Mirai	Browse	89.169.4.44
	Space.sh4.elf	Get hash	malicious	Mirai	Browse	89.169.4.44

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.929048164795821
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Space.mpsl.elf
File size:	38'648 bytes
MD5:	1117e2c5a98d68c484fd112dab8f93c6
SHA1:	752445f32f9bc8387d51c38a6c91f9b7ad67cdf6
SHA256:	083aba1f74c9302697ab2c7442799b4bb7f0cd77d4fc8310f2460a9c087f3704
SHA512:	f72812645a532dfe4984e1de484eaa0e1819ff0d29570ce6594a175a865dad0365740d1004578e06803ab217960be3debfa604cbf04f0144239068e4685c62ab
SSDEEP:	768:5hpGLq2YEQh5q10MxYWt/y/1tgPUcDp+Rl5DQBXWr:HpD2Ynjq10Qt/U89wRl50s
TLSH:	6F03E1D865D22458CF9D0CF594BE06F20E9060DCBA716BCC372E1CCC6B6259BBA5D478
File Content Preview:	.ELF........................4...........4. ...(.........................................`...`.E.`.E...................z,UPX!`.......D...D.......U..........?.E.h;....#......b.L#37&u..sO..v....... .....4.}..-.....h!..aV..*...7.B'1V..a..u..Lw...}............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x108288
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x95c5	0x95c5	7.9319	0x5	R E	0x10000
LOAD	0xaf60	0x45af60	0x45af60	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 09:06:05.931610107 CET	57084	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:06.051593065 CET	3778	57084	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:06.051731110 CET	57084	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:06.348265886 CET	57084	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:06.468091011 CET	3778	57084	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:06.468172073 CET	57084	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:06.588085890 CET	3778	57084	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:07.372541904 CET	3778	57084	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:07.372634888 CET	57084	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:07.372836113 CET	57084	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:07.374423981 CET	57086	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:07.494263887 CET	3778	57086	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:07.494477034 CET	57086	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:07.496170998 CET	57086	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:07.615958929 CET	3778	57086	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:07.616183996 CET	57086	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:07.735989094 CET	3778	57086	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:08.814804077 CET	3778	57086	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:08.814913988 CET	57086	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:08.814979076 CET	57086	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:08.815561056 CET	57088	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:08.935353994 CET	3778	57088	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:08.935509920 CET	57088	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:08.936837912 CET	57088	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:09.056554079 CET	3778	57088	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:09.056669950 CET	57088	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:09.176436901 CET	3778	57088	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:10.259656906 CET	3778	57088	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:10.259818077 CET	57088	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:10.260011911 CET	57088	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:10.260943890 CET	57090	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:10.380758047 CET	3778	57090	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:10.380887985 CET	57090	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:10.382559061 CET	57090	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:10.503734112 CET	3778	57090	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:10.503915071 CET	57090	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:10.717256069 CET	3778	57090	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:11.725670099 CET	3778	57090	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:11.725833893 CET	57090	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:11.725914001 CET	57090	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:11.729311943 CET	57092	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:11.849173069 CET	3778	57092	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:11.849358082 CET	57092	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:11.850866079 CET	57092	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:11.970617056 CET	3778	57092	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:11.970793009 CET	57092	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:12.090606928 CET	3778	57092	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:12.459513903 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:12.579340935 CET	3778	57094	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:12.579408884 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.178101063 CET	3778	57092	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:13.178236961 CET	57092	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.178276062 CET	57092	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.180002928 CET	57096	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.299772024 CET	3778	57096	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:13.300121069 CET	57096	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.301713943 CET	57096	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.421432972 CET	3778	57096	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:13.421653032 CET	57096	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.484555006 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.541492939 CET	3778	57096	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:13.604516983 CET	3778	57094	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:13.604693890 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.607049942 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.727479935 CET	3778	57094	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:13.727621078 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:13.847676992 CET	3778	57094	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:14.621366024 CET	3778	57096	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:14.621541977 CET	57096	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.621680975 CET	57096	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.622452974 CET	57098	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.742204905 CET	3778	57098	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:14.742377996 CET	57098	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.743546963 CET	57098	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.863378048 CET	3778	57098	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:14.863581896 CET	57098	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.924346924 CET	3778	57094	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:14.924606085 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.925132990 CET	57094	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.925864935 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:14.983448982 CET	3778	57098	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:15.045634985 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:15.045799017 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:15.047039986 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:15.166846037 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:15.166950941 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:15.286984921 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:16.064188004 CET	3778	57098	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:16.064449072 CET	57098	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:16.064568996 CET	57098	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:16.065537930 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:16.185318947 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:16.185463905 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:17.068444967 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:17.188193083 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:17.188312054 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:17.189985991 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:17.309878111 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:17.310055017 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:17.430010080 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:25.056968927 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:25.177706003 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:25.492221117 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:25.492336988 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:27.199738026 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:06:27.319833040 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:27.635308027 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:06:27.635663033 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:07:25.546580076 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:07:25.666418076 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:07:25.981652975 CET	3778	57100	89.169.4.44	192.168.2.15
Dec 16, 2024 09:07:25.981901884 CET	57100	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:07:27.690443039 CET	57102	3778	192.168.2.15	89.169.4.44
Dec 16, 2024 09:07:27.811428070 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:07:28.126307964 CET	3778	57102	89.169.4.44	192.168.2.15
Dec 16, 2024 09:07:28.126521111 CET	57102	3778	192.168.2.15	89.169.4.44

System Behavior

Analysis Process: Space.mpsl.elf PID: 5572, Parent PID: 5498

General

Start time (UTC):	08:06:04
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	/tmp/Space.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5574, Parent PID: 5572

General

Start time (UTC):	08:06:04
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5576, Parent PID: 5574

General

Start time (UTC):	08:06:04
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5578, Parent PID: 5574

General

Start time (UTC):	08:06:04
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5584, Parent PID: 5572

General

Start time (UTC):	08:06:11
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5586, Parent PID: 5572

General

Start time (UTC):	08:06:11
Start date (UTC):	16/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.mpsl.elf PID: 5572, Parent PID: 5498

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5574, Parent PID: 5572

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5576, Parent PID: 5574

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5578, Parent PID: 5574

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5584, Parent PID: 5572

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5586, Parent PID: 5572

General

Chronological Activities

Linux Analysis Report
Space.mpsl.elf