Edit tour

Linux Analysis Report
Space.mpsl.elf

Overview

General Information

Sample name:	Space.mpsl.elf
Analysis ID:	1580586
MD5:	594b0c6dda90b4666f6cb871ef7ac269
SHA1:	f3848823f183a5758e3497e8469f489e3b6fd2af
SHA256:	059172ffb609f2b9842c7d75006d6290f38aa8b3226975ebacef5e0ff280637b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580586
Start date and time:	2024-12-25 11:21:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.mpsl.elf
Detection:	MAL
Classification:	mal68.evad.linELF@0/0@0/0

Warnings

VT rate limit hit for: Space.mpsl.elf

Runtime Messages

Command:	/tmp/Space.mpsl.elf
PID:	5529
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.mpsl.elf (PID: 5529, Parent: 5449, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/Space.mpsl.elf

Space.mpsl.elf New Fork (PID: 5531, Parent: 5529)

Space.mpsl.elf New Fork (PID: 5533, Parent: 5531)

Space.mpsl.elf New Fork (PID: 5534, Parent: 5531)

Space.mpsl.elf New Fork (PID: 5545, Parent: 5529)

Space.mpsl.elf New Fork (PID: 5547, Parent: 5529)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5533.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5531.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5545.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5529.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5529	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xce07:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce1b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce2f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce43:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce57:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce6b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce7f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xce93:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcea7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcebb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcecf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcee3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcef7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf0b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf1f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf33:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf47:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf5b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf6f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf83:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcf97:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5531	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x460f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4623:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4637:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x464b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x465f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4673:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4687:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x469b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4713:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4727:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x473b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x474f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4763:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4777:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x478b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x479f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5533	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x982:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x996:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa5e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa72:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa86:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa9a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xac2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xad6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xafe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb12:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mpsl.elf PID: 5545	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xa1f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa20d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa221:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa235:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa249:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa25d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa271:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa285:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa299:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa311:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa325:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa339:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa34d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa361:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa375:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa389:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Space.mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Space.mpsl.elf

ReversingLabs: Detection: 50%

Source: global traffic

TCP traffic: 192.168.2.15:41018 -> 154.216.20.216:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216

Source: Space.mpsl.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5533.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5531.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5545.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5529.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5529, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5531, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5533, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mpsl.elf PID: 5545, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5533.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5531.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5545.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5529.1.00007f4f4c400000.00007f4f4c42a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5529, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5531, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5533, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mpsl.elf PID: 5545, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1333/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1695/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/911/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1591/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1585/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/804/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/3407/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1484/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/133/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1479/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/931/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1595/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/812/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/933/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/3419/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/3310/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/262/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/142/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/263/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/264/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/265/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/145/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/266/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/267/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/268/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/3303/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/269/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1486/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/1806/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/3440/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/270/status	Jump to behavior
Source: /tmp/Space.mpsl.elf (PID: 5529)	File opened: /proc/271/status	Jump to behavior

Source: Space.mpsl.elf

Submission file: segment LOAD with 7.9458 entropy (max. 8.0)

Source: /tmp/Space.mpsl.elf (PID: 5529)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.mpsl.elf, 5529.1.000055d269b97000.000055d269c3f000.rw-.sdmp, Space.mpsl.elf, 5531.1.000055d269b97000.000055d269c3f000.rw-.sdmp, Space.mpsl.elf, 5533.1.000055d269b97000.000055d269c3f000.rw-.sdmp, Space.mpsl.elf, 5545.1.000055d269b97000.000055d269c3f000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: Space.mpsl.elf, 5529.1.000055d269b97000.000055d269c3f000.rw-.sdmp, Space.mpsl.elf, 5531.1.000055d269b97000.000055d269c3f000.rw-.sdmp, Space.mpsl.elf, 5533.1.000055d269b97000.000055d269c3f000.rw-.sdmp, Space.mpsl.elf, 5545.1.000055d269b97000.000055d269c3f000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: Space.mpsl.elf, 5529.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp, Space.mpsl.elf, 5531.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp, Space.mpsl.elf, 5533.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp, Space.mpsl.elf, 5545.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/Space.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.mpsl.elf
Source: Space.mpsl.elf, 5529.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp, Space.mpsl.elf, 5531.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp, Space.mpsl.elf, 5533.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp, Space.mpsl.elf, 5545.1.00007ffc5939d000.00007ffc593be000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.mpsl.elf	50%	ReversingLabs	Linux.Trojan.Mirai
Space.mpsl.elf	100%	Avira	EXP/ELF.Agent.M.28

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.mpsl.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.20.216	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.216.20.216	Space.m68k.elf	Get hash	malicious	Mirai	Browse
154.216.20.216	Space.i686.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	Space.m68k.elf	Get hash	malicious	Mirai	Browse	154.216.20.216
	Space.i686.elf	Get hash	malicious	Unknown	Browse	154.216.20.216
	byte.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.138
	zerarm7.elf	Get hash	malicious	Unknown	Browse	154.216.16.250
	nabm68k.elf	Get hash	malicious	Unknown	Browse	154.216.16.244
	nabarm.elf	Get hash	malicious	Unknown	Browse	154.216.16.244
	zerppc.elf	Get hash	malicious	Unknown	Browse	154.216.16.250
	zerarm5.elf	Get hash	malicious	Unknown	Browse	154.216.16.244
	nabx86.elf	Get hash	malicious	Unknown	Browse	154.216.16.244
	nabsh4.elf	Get hash	malicious	Unknown	Browse	154.216.16.244

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.9431631400512765
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Space.mpsl.elf
File size:	44'352 bytes
MD5:	594b0c6dda90b4666f6cb871ef7ac269
SHA1:	f3848823f183a5758e3497e8469f489e3b6fd2af
SHA256:	059172ffb609f2b9842c7d75006d6290f38aa8b3226975ebacef5e0ff280637b
SHA512:	5a1a1d931bd0c434e98d80d36da42e91ad4cb9e5ea6aa2ed0e3e66d90eec043d627e8acca0fd148997e3b8b7c9996e423f3966cf96cde1ee0b6cb54cddc0ec92
SSDEEP:	768:4QdzLFMbXkqyyxwmGFm3qsSPhkj96MiKrecs6cDtyO5XnQDh3nWN:nPmwqBOc31LNrecs6KtPXQDa
TLSH:	6E13E14D9BA2ED56CCCF583970CD13B50E9371C124171FDCA359AC8CA961C8ABCCA8B5
File Content Preview:	.ELF........................4...........4. ...(...............................................C...C.....................UPX!d...................V..........?.E.h;....#......b.L#>g7.9f......1....F.....f.u.(L.X.Ak..8......~.Dl0..Wl../... ..il...&..........p?

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x1098d8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xac15	0xac15	7.9458	0x5	R E	0x10000
LOAD	0xaffc	0x43affc	0x43affc	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 11:22:04.271991968 CET	41018	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:04.391901970 CET	3778	41018	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:04.391978979 CET	41018	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:04.397672892 CET	41018	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:04.517297983 CET	3778	41018	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:04.517354012 CET	41018	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:04.636962891 CET	3778	41018	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:05.688980103 CET	3778	41018	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:05.689141989 CET	41018	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:05.689392090 CET	41018	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:05.689990044 CET	41020	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:05.809614897 CET	3778	41020	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:05.809804916 CET	41020	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:05.810606003 CET	41020	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:05.930200100 CET	3778	41020	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:05.930613041 CET	41020	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:06.050242901 CET	3778	41020	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:07.107481003 CET	3778	41020	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:07.107731104 CET	41020	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:07.107808113 CET	41020	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:07.108391047 CET	41022	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:07.228055954 CET	3778	41022	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:07.228291035 CET	41022	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:07.229322910 CET	41022	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:07.348982096 CET	3778	41022	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:07.349328041 CET	41022	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:07.468880892 CET	3778	41022	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:08.529612064 CET	3778	41022	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:08.529933929 CET	41022	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:08.529934883 CET	41022	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:08.530571938 CET	41024	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:08.650196075 CET	3778	41024	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:08.650357962 CET	41024	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:08.651348114 CET	41024	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:08.770899057 CET	3778	41024	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:08.771109104 CET	41024	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:08.890794992 CET	3778	41024	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:09.948637962 CET	3778	41024	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:09.948940039 CET	41024	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:09.948940039 CET	41024	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:09.949681997 CET	41026	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.069226027 CET	3778	41026	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:10.069492102 CET	41026	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.070453882 CET	41026	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.190138102 CET	3778	41026	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:10.190265894 CET	41026	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.309856892 CET	3778	41026	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:10.533216953 CET	41028	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.653275967 CET	3778	41028	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:10.653363943 CET	41028	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.668076992 CET	41028	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.787789106 CET	3778	41028	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:10.787849903 CET	41028	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:10.907577991 CET	3778	41028	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:11.370410919 CET	3778	41026	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:11.370714903 CET	41026	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.370714903 CET	41026	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.371773005 CET	41030	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.491522074 CET	3778	41030	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:11.491760969 CET	41030	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.492903948 CET	41030	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.612479925 CET	3778	41030	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:11.612598896 CET	41030	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.732599974 CET	3778	41030	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:11.951543093 CET	3778	41028	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:11.951908112 CET	41028	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.952241898 CET	41028	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:11.953748941 CET	41032	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.073364973 CET	3778	41032	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:12.073599100 CET	41032	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.075967073 CET	41032	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.195512056 CET	3778	41032	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:12.195687056 CET	41032	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.315426111 CET	3778	41032	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:12.792129993 CET	3778	41030	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:12.792444944 CET	41030	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.792444944 CET	41030	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.793092012 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.912858963 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:12.913116932 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:12.913777113 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.033433914 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:13.033508062 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.153213024 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:13.375389099 CET	3778	41032	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:13.375595093 CET	41032	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.375595093 CET	41032	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.376143932 CET	41036	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.495719910 CET	3778	41036	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:13.495937109 CET	41036	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.496892929 CET	41036	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.616501093 CET	3778	41036	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:13.616615057 CET	41036	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:13.736301899 CET	3778	41036	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:14.797286034 CET	3778	41036	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:14.797625065 CET	41036	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:14.797626019 CET	41036	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:14.798166037 CET	41038	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:14.917690039 CET	3778	41038	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:14.917859077 CET	41038	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:14.918610096 CET	41038	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:15.038178921 CET	3778	41038	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:15.038269997 CET	41038	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:15.157984972 CET	3778	41038	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:16.217946053 CET	3778	41038	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:16.218080044 CET	41038	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:16.218126059 CET	41038	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:16.218679905 CET	41040	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:16.338238001 CET	3778	41040	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:16.338336945 CET	41040	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:16.339421034 CET	41040	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:16.458901882 CET	3778	41040	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:16.459000111 CET	41040	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:16.578624964 CET	3778	41040	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:17.637669086 CET	3778	41040	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:17.637979984 CET	41040	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:17.637979984 CET	41040	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:17.638478994 CET	41042	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:17.758021116 CET	3778	41042	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:17.758482933 CET	41042	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:17.759771109 CET	41042	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:17.879585028 CET	3778	41042	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:17.879709005 CET	41042	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:17.999372005 CET	3778	41042	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:19.060623884 CET	3778	41042	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:19.060762882 CET	41042	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:19.060986996 CET	41042	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:19.061574936 CET	41044	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:19.182257891 CET	3778	41044	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:19.182473898 CET	41044	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:19.183908939 CET	41044	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:19.304371119 CET	3778	41044	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:19.304744959 CET	41044	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:19.424623013 CET	3778	41044	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:20.480688095 CET	3778	41044	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:20.481096983 CET	41044	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:20.481235981 CET	41044	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:20.482083082 CET	41046	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:20.601726055 CET	3778	41046	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:20.601944923 CET	41046	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:20.602777958 CET	41046	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:20.722417116 CET	3778	41046	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:20.722610950 CET	41046	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:20.842262030 CET	3778	41046	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:21.902679920 CET	3778	41046	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:21.903044939 CET	41046	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:21.903126955 CET	41046	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:21.903815985 CET	41048	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:22.023471117 CET	3778	41048	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:22.023689032 CET	41048	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:22.024981022 CET	41048	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:22.144531965 CET	3778	41048	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:22.144831896 CET	41048	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:22.264589071 CET	3778	41048	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:22.916807890 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.037229061 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:23.326687098 CET	3778	41048	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:23.326859951 CET	41048	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.326936007 CET	41048	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.327831030 CET	41050	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.338155031 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:23.338210106 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.447783947 CET	3778	41050	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:23.448014975 CET	41050	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.449395895 CET	41050	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.569011927 CET	3778	41050	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:23.569156885 CET	41050	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:23.689106941 CET	3778	41050	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:24.746972084 CET	3778	41050	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:24.747242928 CET	41050	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:24.747549057 CET	41050	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:24.748420000 CET	41052	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:24.868046045 CET	3778	41052	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:24.868371964 CET	41052	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:24.869575977 CET	41052	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:24.989355087 CET	3778	41052	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:24.989661932 CET	41052	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:25.110064030 CET	3778	41052	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:26.167251110 CET	3778	41052	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:26.167450905 CET	41052	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:26.167618990 CET	41052	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:26.168365002 CET	41054	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:26.287898064 CET	3778	41054	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:26.288265944 CET	41054	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:26.289438009 CET	41054	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:26.409122944 CET	3778	41054	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:26.409416914 CET	41054	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:26.529225111 CET	3778	41054	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:27.597634077 CET	3778	41054	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:27.597799063 CET	41054	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:27.597845078 CET	41054	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:27.598381996 CET	41056	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:27.717995882 CET	3778	41056	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:27.718197107 CET	41056	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:27.718784094 CET	41056	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:27.838305950 CET	3778	41056	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:27.838563919 CET	41056	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:27.958395958 CET	3778	41056	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:29.021167040 CET	3778	41056	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:29.021322966 CET	41056	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:29.021410942 CET	41056	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:29.021982908 CET	41058	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:29.141563892 CET	3778	41058	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:29.141802073 CET	41058	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:29.143075943 CET	41058	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:29.262610912 CET	3778	41058	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:29.262737036 CET	41058	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:29.382410049 CET	3778	41058	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:30.440845966 CET	3778	41058	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:30.441061020 CET	41058	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:30.441194057 CET	41058	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:30.442061901 CET	41060	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:30.561633110 CET	3778	41060	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:30.562083960 CET	41060	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:30.563081026 CET	41060	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:30.682604074 CET	3778	41060	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:30.682867050 CET	41060	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:30.802561998 CET	3778	41060	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:31.858865023 CET	3778	41060	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:31.859154940 CET	41060	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:31.859155893 CET	41060	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:31.859941006 CET	41062	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:31.979521036 CET	3778	41062	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:31.979860067 CET	41062	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:31.980984926 CET	41062	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:32.100667000 CET	3778	41062	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:32.100805998 CET	41062	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:32.220518112 CET	3778	41062	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:33.277221918 CET	3778	41062	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:33.277542114 CET	41062	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:33.277542114 CET	41062	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:33.278414965 CET	41064	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:33.397978067 CET	3778	41064	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:33.398125887 CET	41064	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:33.399251938 CET	41064	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:33.518762112 CET	3778	41064	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:33.518834114 CET	41064	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:33.638461113 CET	3778	41064	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:34.694428921 CET	3778	41064	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:34.694714069 CET	41064	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:34.694756985 CET	41064	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:34.695540905 CET	41066	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:34.815257072 CET	3778	41066	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:34.815418005 CET	41066	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:34.816597939 CET	41066	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:34.936119080 CET	3778	41066	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:34.936248064 CET	41066	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:35.055855036 CET	3778	41066	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:36.114805937 CET	3778	41066	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:36.115030050 CET	41066	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:36.115320921 CET	41066	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:36.116296053 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:36.235970020 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:36.236241102 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:36.237695932 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:36.357227087 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:36.357511044 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:36.477211952 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:46.247761011 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:22:46.367692947 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:46.669884920 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:22:46.670048952 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:23:23.389287949 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:23:23.509133101 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:23:23.810606003 CET	3778	41034	154.216.20.216	192.168.2.15
Dec 25, 2024 11:23:23.810817957 CET	41034	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:23:46.728403091 CET	41068	3778	192.168.2.15	154.216.20.216
Dec 25, 2024 11:23:46.848299026 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:23:47.151302099 CET	3778	41068	154.216.20.216	192.168.2.15
Dec 25, 2024 11:23:47.151671886 CET	41068	3778	192.168.2.15	154.216.20.216

System Behavior

Analysis Process: Space.mpsl.elf PID: 5529, Parent PID: 5449

General

Start time (UTC):	10:22:03
Start date (UTC):	25/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	/tmp/Space.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5531, Parent PID: 5529

General

Start time (UTC):	10:22:03
Start date (UTC):	25/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5533, Parent PID: 5531

General

Start time (UTC):	10:22:03
Start date (UTC):	25/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5534, Parent PID: 5531

General

Start time (UTC):	10:22:03
Start date (UTC):	25/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5545, Parent PID: 5529

General

Start time (UTC):	10:22:09
Start date (UTC):	25/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5547, Parent PID: 5529

General

Start time (UTC):	10:22:09
Start date (UTC):	25/12/2024
Path:	/tmp/Space.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.mpsl.elf PID: 5529, Parent PID: 5449

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5531, Parent PID: 5529

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5533, Parent PID: 5531

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5534, Parent PID: 5531

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5545, Parent PID: 5529

General

Chronological Activities

Analysis Process: Space.mpsl.elf PID: 5547, Parent PID: 5529

General

Chronological Activities

Linux Analysis Report
Space.mpsl.elf