Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
mpsl.elf

Overview

General Information

Sample name:mpsl.elf
Analysis ID:1576193
MD5:1dafc755ceb8eba5c70513bffc6ac9a9
SHA1:3f202a5878fe0d286f79c5f4471a8525f344c01f
SHA256:10084a0715871913a09e36582b30af85a459e0e99190307a42ed93c7e6475527
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:56
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1576193
Start date and time:2024-12-16 16:18:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mpsl.elf
Detection:MAL
Classification:mal56.troj.linELF@0/0@0/0
  • VT rate limit hit for: mpsl.elf
Command:/tmp/mpsl.elf
PID:6218
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Infected
Standard Error:
  • system is lnxubuntu20
  • mpsl.elf (PID: 6218, Parent: 6135, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mpsl.elf
    • mpsl.elf New Fork (PID: 6220, Parent: 6218)
      • mpsl.elf New Fork (PID: 6226, Parent: 6220)
        • mpsl.elf New Fork (PID: 6229, Parent: 6226)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
mpsl.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6220.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6218.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6226.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: mpsl.elfReversingLabs: Detection: 39%
          Source: global trafficTCP traffic: 192.168.2.23:40260 -> 85.239.34.134:6666
          Source: /tmp/mpsl.elf (PID: 6218)Socket: 0.0.0.0:1210Jump to behavior
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: mpsl.elfString found in binary or memory: http://fast.no/support/crawler.asp)
          Source: mpsl.elfString found in binary or memory: http://feedback.redkolibri.com/
          Source: mpsl.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
          Source: mpsl.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
          Source: mpsl.elfString found in binary or memory: http://www.billybobbot.com/crawler/)
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: classification engineClassification label: mal56.troj.linELF@0/0@0/0
          Source: /tmp/mpsl.elf (PID: 6218)Queries kernel information via 'uname': Jump to behavior
          Source: mpsl.elf, 6218.1.0000562e1d300000.0000562e1d387000.rw-.sdmp, mpsl.elf, 6220.1.0000562e1d300000.0000562e1d387000.rw-.sdmp, mpsl.elf, 6226.1.0000562e1d300000.0000562e1d387000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
          Source: mpsl.elf, 6218.1.0000562e1d300000.0000562e1d387000.rw-.sdmp, mpsl.elf, 6220.1.0000562e1d300000.0000562e1d387000.rw-.sdmp, mpsl.elf, 6226.1.0000562e1d300000.0000562e1d387000.rw-.sdmpBinary or memory string: .V!/etc/qemu-binfmt/mipsel
          Source: mpsl.elf, 6218.1.00007ffdb3fcd000.00007ffdb3fee000.rw-.sdmp, mpsl.elf, 6220.1.00007ffdb3fcd000.00007ffdb3fee000.rw-.sdmp, mpsl.elf, 6226.1.00007ffdb3fcd000.00007ffdb3fee000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mpsl.elf
          Source: mpsl.elf, 6218.1.00007ffdb3fcd000.00007ffdb3fee000.rw-.sdmp, mpsl.elf, 6220.1.00007ffdb3fcd000.00007ffdb3fee000.rw-.sdmp, mpsl.elf, 6226.1.00007ffdb3fcd000.00007ffdb3fee000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: mpsl.elf, type: SAMPLE
          Source: Yara matchFile source: 6220.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6218.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6226.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmp, type: MEMORY
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
          Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
          Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: mpsl.elf, type: SAMPLE
          Source: Yara matchFile source: 6220.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6218.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6226.1.00007fc6a0400000.00007fc6a041a000.r-x.sdmp, type: MEMORY
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
          Security Software Discovery
          Remote ServicesData from Local System1
          Data Obfuscation
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
          Application Layer Protocol
          Traffic DuplicationData Destruction
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576193 Sample: mpsl.elf Startdate: 16/12/2024 Architecture: LINUX Score: 56 17 85.239.34.134, 40260, 40262, 40264 RAINBOW-HKRainbownetworklimitedHK Russian Federation 2->17 19 109.202.202.202, 80 INIT7CH Switzerland 2->19 21 2 other IPs or domains 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected Mirai 2->25 9 mpsl.elf 2->9         started        signatures3 process4 process5 11 mpsl.elf 9->11         started        process6 13 mpsl.elf 11->13         started        process7 15 mpsl.elf 13->15         started       
          SourceDetectionScannerLabelLink
          mpsl.elf39%ReversingLabsLinux.Trojan.Mirai
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.baidu.com/search/spider.html)mpsl.elffalse
            high
            http://www.billybobbot.com/crawler/)mpsl.elffalse
              high
              http://fast.no/support/crawler.asp)mpsl.elffalse
                high
                http://feedback.redkolibri.com/mpsl.elffalse
                  high
                  http://www.baidu.com/search/spider.htm)mpsl.elffalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    85.239.34.134
                    unknownRussian Federation
                    134121RAINBOW-HKRainbownetworklimitedHKfalse
                    109.202.202.202
                    unknownSwitzerland
                    13030INIT7CHfalse
                    91.189.91.43
                    unknownUnited Kingdom
                    41231CANONICAL-ASGBfalse
                    91.189.91.42
                    unknownUnited Kingdom
                    41231CANONICAL-ASGBfalse
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    85.239.34.134arm5.elfGet hashmaliciousMiraiBrowse
                      arm5.elfGet hashmaliciousMiraiBrowse
                        m68k.elfGet hashmaliciousUnknownBrowse
                          x86.elfGet hashmaliciousUnknownBrowse
                            arm.elfGet hashmaliciousUnknownBrowse
                              mpsl.elfGet hashmaliciousUnknownBrowse
                                spc.elfGet hashmaliciousUnknownBrowse
                                  m68k.elfGet hashmaliciousUnknownBrowse
                                    mips.elfGet hashmaliciousUnknownBrowse
                                      arm.elfGet hashmaliciousUnknownBrowse
                                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                        91.189.91.43arm5.elfGet hashmaliciousMiraiBrowse
                                          arm5.elfGet hashmaliciousMiraiBrowse
                                            zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                              skid.mips.elfGet hashmaliciousUnknownBrowse
                                                arm.elfGet hashmaliciousUnknownBrowse
                                                  zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                    zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                      zmap.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                        main_m68k.elfGet hashmaliciousMiraiBrowse
                                                          main_sh4.elfGet hashmaliciousMiraiBrowse
                                                            No context
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            RAINBOW-HKRainbownetworklimitedHKarm5.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            m68k.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            x86.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            mpsl.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            spc.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            m68k.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            mips.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            CANONICAL-ASGBzmap.x86.elfGet hashmaliciousOkiruBrowse
                                                            • 185.125.190.26
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 91.189.91.42
                                                            skid.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            zmap.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 185.125.190.26
                                                            zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 91.189.91.42
                                                            zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                            • 91.189.91.42
                                                            zmap.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 91.189.91.42
                                                            INIT7CHarm5.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 109.202.202.202
                                                            skid.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 109.202.202.202
                                                            zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                            • 109.202.202.202
                                                            zmap.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 109.202.202.202
                                                            main_m68k.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            main_sh4.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            No context
                                                            No context
                                                            No created / dropped files found
                                                            File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                                                            Entropy (8bit):5.75826314138177
                                                            TrID:
                                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                            File name:mpsl.elf
                                                            File size:106'312 bytes
                                                            MD5:1dafc755ceb8eba5c70513bffc6ac9a9
                                                            SHA1:3f202a5878fe0d286f79c5f4471a8525f344c01f
                                                            SHA256:10084a0715871913a09e36582b30af85a459e0e99190307a42ed93c7e6475527
                                                            SHA512:b223b0556f30b5ce346764de9481452f188d38e67f225c555fdeacafc6be22ba3af5ef7e802867996cf9513c1cc8895f3b7f5c7b1444dc5ca5fa98d88f840b8a
                                                            SSDEEP:1536:F0loagGKYkbBKKGusRRHjjVNpqDGx5MAH5hmE:DKOBKKaH3VNp7x5hm
                                                            TLSH:BCA32B07AF910EBBCC6FCD330256065A25CC865722967B7A7178CC28FA4E64B4BD3D94
                                                            File Content Preview:.ELF......................@.4...........4. ...(...............@...@...........................A...A.....P|....................A...A.................Q.td...............................<.%.'!......'.......................<.$.'!.............9'.. ............

                                                            ELF header

                                                            Class:ELF32
                                                            Data:2's complement, little endian
                                                            Version:1 (current)
                                                            Machine:MIPS R3000
                                                            Version Number:0x1
                                                            Type:EXEC (Executable file)
                                                            OS/ABI:UNIX - System V
                                                            ABI Version:0
                                                            Entry Point Address:0x400290
                                                            Flags:0x1007
                                                            ELF Header Size:52
                                                            Program Header Offset:52
                                                            Program Header Size:32
                                                            Number of Program Headers:4
                                                            Section Header Offset:105632
                                                            Section Header Size:40
                                                            Number of Section Headers:17
                                                            Header String Table Index:16
                                                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                            NULL0x00x00x00x00x0000
                                                            .initPROGBITS0x4000b40xb40x8c0x00x6AX004
                                                            .textPROGBITS0x4001400x1400x15c300x00x6AX0016
                                                            .finiPROGBITS0x415d700x15d700x5c0x00x6AX004
                                                            .rodataPROGBITS0x415dd00x15dd00x34d00x00x2A0016
                                                            .eh_framePROGBITS0x41a2a00x192a00x440x00x3WA004
                                                            .tbssNOBITS0x41a2e40x192e40x80x00x403WAT004
                                                            .ctorsPROGBITS0x41a2e40x192e40x80x00x3WA004
                                                            .dtorsPROGBITS0x41a2ec0x192ec0x80x00x3WA004
                                                            .jcrPROGBITS0x41a2f40x192f40x40x00x3WA004
                                                            .data.rel.roPROGBITS0x41a2f80x192f80x380x00x3WA004
                                                            .dataPROGBITS0x41a3300x193300x2980x00x3WA0016
                                                            .gotPROGBITS0x41a5d00x195d00x6540x40x10000003WAp0016
                                                            .sbssNOBITS0x41ac240x19c240x500x00x10000003WAp004
                                                            .bssNOBITS0x41ac800x19c240x72700x00x3WA0016
                                                            .mdebug.abi32PROGBITS0xd380x19c240x00x00x0001
                                                            .shstrtabSTRTAB0x00x19c240x790x00x0001
                                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                            LOAD0x00x4000000x4000000x192a00x192a05.78450x5R E0x1000.init .text .fini .rodata
                                                            LOAD0x192a00x41a2a00x41a2a00x9840x7c504.14510x6RW 0x1000.eh_frame .tbss .ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
                                                            TLS0x192e40x41a2e40x41a2e40x00x80.00000x4R 0x4.tbss
                                                            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 16, 2024 16:18:50.610351086 CET43928443192.168.2.2391.189.91.42
                                                            Dec 16, 2024 16:18:50.639286041 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:50.759011030 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:18:50.759066105 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:51.666348934 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:51.786390066 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:18:51.786675930 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:51.786986113 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:51.907083035 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:18:52.937891960 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:18:52.937907934 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:18:52.938302994 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:52.938457012 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:18:53.058763981 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:18:55.985614061 CET42836443192.168.2.2391.189.91.43
                                                            Dec 16, 2024 16:18:57.777563095 CET4251680192.168.2.23109.202.202.202
                                                            Dec 16, 2024 16:19:01.946197033 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:02.065968037 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:02.066487074 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:02.067095041 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:02.186716080 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:03.236169100 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:03.236295938 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:03.236443043 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:03.236613035 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:03.356484890 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:11.600250959 CET43928443192.168.2.2391.189.91.42
                                                            Dec 16, 2024 16:19:12.244069099 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:12.367491961 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:12.367630959 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:12.367772102 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:12.488604069 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:13.536900043 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:13.536935091 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:13.537091970 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:13.537185907 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:13.657495022 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:21.838197947 CET42836443192.168.2.2391.189.91.43
                                                            Dec 16, 2024 16:19:22.543771982 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:22.663717985 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:22.663924932 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:22.664124966 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:22.783858061 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:23.809422970 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:23.809549093 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:23.809597015 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:23.809731007 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:23.929440022 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:27.981206894 CET4251680192.168.2.23109.202.202.202
                                                            Dec 16, 2024 16:19:32.816761017 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:32.936633110 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:32.937150955 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:32.937150955 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:33.057137966 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:34.090842962 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:34.091048956 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:34.091130972 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:34.091212988 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:34.210927963 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:43.098237038 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:43.219393015 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:43.219562054 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:43.219703913 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:43.340325117 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:44.361342907 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:44.361357927 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:44.361496925 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:44.361619949 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:44.482908964 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:52.553900957 CET43928443192.168.2.2391.189.91.42
                                                            Dec 16, 2024 16:19:53.368772030 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:53.489156961 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:53.489273071 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:53.489298105 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:53.609117985 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:54.638264894 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:54.638494015 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:19:54.638609886 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:54.638609886 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:19:54.758493900 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:03.645312071 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:03.765173912 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:03.765464067 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:03.765594006 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:03.886837006 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:04.936686993 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:04.937110901 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:04.937197924 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:04.937390089 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:05.058274031 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:13.031048059 CET42836443192.168.2.2391.189.91.43
                                                            Dec 16, 2024 16:20:13.943965912 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:14.063771963 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:14.064028025 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:14.064217091 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:14.184010029 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:15.208817005 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:15.208852053 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:15.209018946 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:15.209084034 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:15.328856945 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:24.216651917 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:24.339543104 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:24.339819908 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:24.339819908 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:24.459671974 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:25.506767988 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:25.506903887 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:25.507165909 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:25.507220030 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:25.628478050 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:34.514484882 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:34.635804892 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:34.636122942 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:34.636162996 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:34.756047010 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:35.796962976 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:35.797184944 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:35.797343016 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:35.797492981 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:35.917469025 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:44.804933071 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:44.924921989 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:44.925112963 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:44.925204992 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:45.045186996 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:46.077152967 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:46.077194929 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:46.077356100 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:46.077581882 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:46.197602034 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:55.087644100 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:55.207561970 CET66664028485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:20:55.207686901 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:55.207788944 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:20:55.327691078 CET66664028485.239.34.134192.168.2.23

                                                            System Behavior

                                                            Start time (UTC):15:18:49
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/mpsl.elf
                                                            Arguments:/tmp/mpsl.elf
                                                            File size:5773336 bytes
                                                            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                                            Start time (UTC):15:18:49
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/mpsl.elf
                                                            Arguments:-
                                                            File size:5773336 bytes
                                                            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                                            Start time (UTC):15:18:49
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/mpsl.elf
                                                            Arguments:-
                                                            File size:5773336 bytes
                                                            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                                            Start time (UTC):15:18:49
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/mpsl.elf
                                                            Arguments:-
                                                            File size:5773336 bytes
                                                            MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9