Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
arm.elf

Overview

General Information

Sample name:arm.elf
Analysis ID:1576214
MD5:6a37dbd9c1b61ff42c42d7bfa7249860
SHA1:861808e7cf5b90559a649006e39c64d18ef37d3e
SHA256:e9a63bdbd303e4f5d91fd6fe0ed094fe87f599d9129d3dc1d4c689259590114e
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:56
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1576214
Start date and time:2024-12-16 16:43:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 2s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm.elf
Detection:MAL
Classification:mal56.troj.linELF@0/0@0/0
  • VT rate limit hit for: arm.elf
Command:/tmp/arm.elf
PID:6217
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Infected
Standard Error:
  • system is lnxubuntu20
  • arm.elf (PID: 6217, Parent: 6132, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm.elf
    • arm.elf New Fork (PID: 6219, Parent: 6217)
      • arm.elf New Fork (PID: 6221, Parent: 6219)
        • arm.elf New Fork (PID: 6227, Parent: 6221)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
arm.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6219.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6217.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6221.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: arm.elfReversingLabs: Detection: 42%
          Source: global trafficTCP traffic: 192.168.2.23:40260 -> 85.239.34.134:6666
          Source: /tmp/arm.elf (PID: 6217)Socket: 0.0.0.0:1210Jump to behavior
          Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
          Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
          Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: unknownTCP traffic detected without corresponding DNS query: 85.239.34.134
          Source: arm.elfString found in binary or memory: http://fast.no/support/crawler.asp)
          Source: arm.elfString found in binary or memory: http://feedback.redkolibri.com/
          Source: arm.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
          Source: arm.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
          Source: arm.elfString found in binary or memory: http://www.billybobbot.com/crawler/)
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: classification engineClassification label: mal56.troj.linELF@0/0@0/0
          Source: /tmp/arm.elf (PID: 6217)Queries kernel information via 'uname': Jump to behavior
          Source: arm.elf, 6217.1.000055998eb49000.000055998ec77000.rw-.sdmp, arm.elf, 6219.1.000055998eb49000.000055998ec77000.rw-.sdmp, arm.elf, 6221.1.000055998eb49000.000055998ec77000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
          Source: arm.elf, 6217.1.00007ffe5ce39000.00007ffe5ce5a000.rw-.sdmp, arm.elf, 6219.1.00007ffe5ce39000.00007ffe5ce5a000.rw-.sdmp, arm.elf, 6221.1.00007ffe5ce39000.00007ffe5ce5a000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf
          Source: arm.elf, 6217.1.000055998eb49000.000055998ec77000.rw-.sdmp, arm.elf, 6219.1.000055998eb49000.000055998ec77000.rw-.sdmp, arm.elf, 6221.1.000055998eb49000.000055998ec77000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
          Source: arm.elf, 6217.1.00007ffe5ce39000.00007ffe5ce5a000.rw-.sdmp, arm.elf, 6219.1.00007ffe5ce39000.00007ffe5ce5a000.rw-.sdmp, arm.elf, 6221.1.00007ffe5ce39000.00007ffe5ce5a000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: arm.elf, type: SAMPLE
          Source: Yara matchFile source: 6219.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6217.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6221.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmp, type: MEMORY
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
          Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
          Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: arm.elf, type: SAMPLE
          Source: Yara matchFile source: 6219.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6217.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6221.1.00007f5cb8017000.00007f5cb802b000.r-x.sdmp, type: MEMORY
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
          Security Software Discovery
          Remote ServicesData from Local System1
          Data Obfuscation
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
          Application Layer Protocol
          Traffic DuplicationData Destruction
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576214 Sample: arm.elf Startdate: 16/12/2024 Architecture: LINUX Score: 56 17 85.239.34.134, 40260, 40262, 40264 RAINBOW-HKRainbownetworklimitedHK Russian Federation 2->17 19 109.202.202.202, 80 INIT7CH Switzerland 2->19 21 2 other IPs or domains 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected Mirai 2->25 9 arm.elf 2->9         started        signatures3 process4 process5 11 arm.elf 9->11         started        process6 13 arm.elf 11->13         started        process7 15 arm.elf 13->15         started       
          SourceDetectionScannerLabelLink
          arm.elf42%ReversingLabsLinux.Trojan.Mirai
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.baidu.com/search/spider.html)arm.elffalse
            high
            http://www.billybobbot.com/crawler/)arm.elffalse
              high
              http://fast.no/support/crawler.asp)arm.elffalse
                high
                http://feedback.redkolibri.com/arm.elffalse
                  high
                  http://www.baidu.com/search/spider.htm)arm.elffalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    85.239.34.134
                    unknownRussian Federation
                    134121RAINBOW-HKRainbownetworklimitedHKfalse
                    109.202.202.202
                    unknownSwitzerland
                    13030INIT7CHfalse
                    91.189.91.43
                    unknownUnited Kingdom
                    41231CANONICAL-ASGBfalse
                    91.189.91.42
                    unknownUnited Kingdom
                    41231CANONICAL-ASGBfalse
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    85.239.34.134m68k.elfGet hashmaliciousMiraiBrowse
                      arm7.elfGet hashmaliciousMiraiBrowse
                        x86.elfGet hashmaliciousMiraiBrowse
                          mpsl.elfGet hashmaliciousMiraiBrowse
                            arm5.elfGet hashmaliciousMiraiBrowse
                              arm5.elfGet hashmaliciousMiraiBrowse
                                m68k.elfGet hashmaliciousUnknownBrowse
                                  x86.elfGet hashmaliciousUnknownBrowse
                                    arm.elfGet hashmaliciousUnknownBrowse
                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                        91.189.91.43m68k.elfGet hashmaliciousMiraiBrowse
                                          x86.elfGet hashmaliciousMiraiBrowse
                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                              arm5.elfGet hashmaliciousMiraiBrowse
                                                arm5.elfGet hashmaliciousMiraiBrowse
                                                  zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                    skid.mips.elfGet hashmaliciousUnknownBrowse
                                                      arm.elfGet hashmaliciousUnknownBrowse
                                                        zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                          zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                            No context
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            RAINBOW-HKRainbownetworklimitedHKm68k.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            x86.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 85.239.34.134
                                                            m68k.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            x86.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            mpsl.elfGet hashmaliciousUnknownBrowse
                                                            • 85.239.34.134
                                                            CANONICAL-ASGBm68k.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            x86.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            zmap.x86.elfGet hashmaliciousOkiruBrowse
                                                            • 185.125.190.26
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 91.189.91.42
                                                            skid.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            zmap.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 185.125.190.26
                                                            CANONICAL-ASGBm68k.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            x86.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            zmap.x86.elfGet hashmaliciousOkiruBrowse
                                                            • 185.125.190.26
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 91.189.91.42
                                                            zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 91.189.91.42
                                                            skid.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 91.189.91.42
                                                            zmap.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 185.125.190.26
                                                            INIT7CHm68k.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            x86.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            mpsl.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                            • 109.202.202.202
                                                            zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 109.202.202.202
                                                            skid.mips.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            arm.elfGet hashmaliciousUnknownBrowse
                                                            • 109.202.202.202
                                                            zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 109.202.202.202
                                                            zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                            • 109.202.202.202
                                                            No context
                                                            No context
                                                            No created / dropped files found
                                                            File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                                                            Entropy (8bit):6.2877004568239245
                                                            TrID:
                                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                            File name:arm.elf
                                                            File size:80'440 bytes
                                                            MD5:6a37dbd9c1b61ff42c42d7bfa7249860
                                                            SHA1:861808e7cf5b90559a649006e39c64d18ef37d3e
                                                            SHA256:e9a63bdbd303e4f5d91fd6fe0ed094fe87f599d9129d3dc1d4c689259590114e
                                                            SHA512:33432bd73e71e89085b70aa7f19a4619fbee9848a680542e93bcacf881c00eac3ebc150e3be1993037ffc72f29feeeba6155435207e1d5778f7b5052fd271e8d
                                                            SSDEEP:1536:I+rdyQCOVuFVk57F28xvORcxG5q2q+FKkFtQ+1/wTyJn54N4Kvw5hl:IZQCOVuFwF28xv/Ar/zFtPtwTyJ54xwt
                                                            TLSH:35733996F8808B12C6C155B7F71E528C336B43ADD2EE32039E255F613B836670E3B985
                                                            File Content Preview:.ELF...a..........(.........4...08......4. ...(......................5...5...............5..............<j..........Q.td..................................-...L."... A..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                                            ELF header

                                                            Class:ELF32
                                                            Data:2's complement, little endian
                                                            Version:1 (current)
                                                            Machine:ARM
                                                            Version Number:0x1
                                                            Type:EXEC (Executable file)
                                                            OS/ABI:ARM - ABI
                                                            ABI Version:0
                                                            Entry Point Address:0x8190
                                                            Flags:0x202
                                                            ELF Header Size:52
                                                            Program Header Offset:52
                                                            Program Header Size:32
                                                            Number of Program Headers:3
                                                            Section Header Offset:79920
                                                            Section Header Size:40
                                                            Number of Section Headers:13
                                                            Header String Table Index:12
                                                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                            NULL0x00x00x00x00x0000
                                                            .initPROGBITS0x80940x940x180x00x6AX004
                                                            .textPROGBITS0x80b00xb00x104b80x00x6AX0016
                                                            .finiPROGBITS0x185680x105680x140x00x6AX004
                                                            .rodataPROGBITS0x1857c0x1057c0x2f9c0x00x2A004
                                                            .eh_framePROGBITS0x1c5180x135180x40x00x3WA004
                                                            .ctorsPROGBITS0x1c51c0x1351c0x80x00x3WA004
                                                            .dtorsPROGBITS0x1c5240x135240x80x00x3WA004
                                                            .jcrPROGBITS0x1c52c0x1352c0x40x00x3WA004
                                                            .dataPROGBITS0x1c5300x135300x2900x00x3WA004
                                                            .bssNOBITS0x1c7c00x137c00x67940x00x3WA004
                                                            .ARM.attributesARM_ATTRIBUTES0x00x137c00x100x00x0001
                                                            .shstrtabSTRTAB0x00x137d00x5d0x00x0001
                                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                            LOAD0x00x80000x80000x135180x135186.31430x5R E0x1000.init .text .fini .rodata
                                                            LOAD0x135180x1c5180x1c5180x2a80x6a3c3.39920x6RW 0x1000.eh_frame .ctors .dtors .jcr .data .bss
                                                            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 16, 2024 16:43:45.866722107 CET43928443192.168.2.2391.189.91.42
                                                            Dec 16, 2024 16:43:46.365463018 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:46.485502005 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:46.485563040 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:47.370538950 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:47.490879059 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:47.491099119 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:47.491369963 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:47.611310005 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:48.637259007 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:48.637387991 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:48.637590885 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:48.637906075 CET402606666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:48.759438992 CET66664026085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:51.242475986 CET42836443192.168.2.2391.189.91.43
                                                            Dec 16, 2024 16:43:52.521863937 CET4251680192.168.2.23109.202.202.202
                                                            Dec 16, 2024 16:43:57.643066883 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:57.763221025 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:57.763649940 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:57.764152050 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:57.884242058 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:58.937536001 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:58.937735081 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:43:58.937743902 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:58.937823057 CET402626666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:43:59.059254885 CET66664026285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:07.367826939 CET43928443192.168.2.2391.189.91.42
                                                            Dec 16, 2024 16:44:07.944122076 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:08.065643072 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:08.065881968 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:08.065978050 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:08.187717915 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:09.237107038 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:09.237132072 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:09.237461090 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:09.237595081 CET402646666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:09.357808113 CET66664026485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:17.606435061 CET42836443192.168.2.2391.189.91.43
                                                            Dec 16, 2024 16:44:18.245893002 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:18.366053104 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:18.366342068 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:18.366400003 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:18.486576080 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:19.536910057 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:19.537055016 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:19.537136078 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:19.537226915 CET402666666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:19.657464027 CET66664026685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:23.749517918 CET4251680192.168.2.23109.202.202.202
                                                            Dec 16, 2024 16:44:28.544465065 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:28.664572001 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:28.664824009 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:28.664953947 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:28.785270929 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:29.846492052 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:29.846637011 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:29.846635103 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:29.846723080 CET402686666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:29.966557026 CET66664026885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:38.852226973 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:38.982477903 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:38.982604027 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:38.982655048 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:39.102644920 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:40.168457031 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:40.168473005 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:40.168580055 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:40.168643951 CET402706666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:40.290544987 CET66664027085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:48.322137117 CET43928443192.168.2.2391.189.91.42
                                                            Dec 16, 2024 16:44:49.174858093 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:49.294740915 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:49.294919014 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:49.294955015 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:49.414870977 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:50.477772951 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:50.477787018 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:50.477893114 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:50.478162050 CET402726666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:50.598098040 CET66664027285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:59.484780073 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:59.605995893 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:44:59.606254101 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:59.606379986 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:44:59.726407051 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:00.764487028 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:00.764520884 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:00.764745951 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:00.764801979 CET402746666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:00.884743929 CET66664027485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:09.770399094 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:09.890228033 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:09.890403032 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:09.890515089 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:10.010637999 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:11.064476967 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:11.064589024 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:11.064666033 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:11.064702034 CET402766666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:11.184541941 CET66664027685.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:20.073539972 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:20.193710089 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:20.193975925 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:20.194037914 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:20.314229965 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:21.362643957 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:21.362668991 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:21.363121033 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:21.363265991 CET402786666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:21.483139992 CET66664027885.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:30.375308990 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:30.499007940 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:30.499208927 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:30.499286890 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:30.620356083 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:31.666877031 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:31.666913986 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:31.667073965 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:31.667131901 CET402806666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:31.811398983 CET66664028085.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:40.673877954 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:40.794281960 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:40.794404984 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:40.794437885 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:40.914335012 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:41.963613987 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:41.963668108 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:41.963782072 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:41.963917971 CET402826666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:42.083971024 CET66664028285.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:50.972589016 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:51.092694044 CET66664028485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:45:51.092855930 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:51.092962980 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:45:51.212712049 CET66664028485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:46:22.758477926 CET66664028485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:46:22.758620977 CET402846666192.168.2.2385.239.34.134
                                                            Dec 16, 2024 16:46:22.992866039 CET66664028485.239.34.134192.168.2.23
                                                            Dec 16, 2024 16:46:22.993047953 CET402846666192.168.2.2385.239.34.134

                                                            System Behavior

                                                            Start time (UTC):15:43:45
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/arm.elf
                                                            Arguments:/tmp/arm.elf
                                                            File size:4956856 bytes
                                                            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                            Start time (UTC):15:43:45
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/arm.elf
                                                            Arguments:-
                                                            File size:4956856 bytes
                                                            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                            Start time (UTC):15:43:45
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/arm.elf
                                                            Arguments:-
                                                            File size:4956856 bytes
                                                            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                            Start time (UTC):15:43:45
                                                            Start date (UTC):16/12/2024
                                                            Path:/tmp/arm.elf
                                                            Arguments:-
                                                            File size:4956856 bytes
                                                            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1