Edit tour

Linux Analysis Report
Space.ppc.elf

Overview

General Information

Sample name:	Space.ppc.elf
Analysis ID:	1580594
MD5:	70bc1be9a01fd79070053f5005e3c122
SHA1:	274e5542793e02baebba0703b5079d1c5e1ae2a1
SHA256:	e816dad4e92610952308eba883fc24eb7cad4aea466d3b3985bdea229415ca3b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580594
Start date and time:	2024-12-25 11:29:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.ppc.elf
Detection:	MAL
Classification:	mal68.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.ppc.elf
PID:	5510
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.ppc.elf (PID: 5510, Parent: 5435, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/Space.ppc.elf

Space.ppc.elf New Fork (PID: 5512, Parent: 5510)

Space.ppc.elf New Fork (PID: 5514, Parent: 5512)

Space.ppc.elf New Fork (PID: 5515, Parent: 5512)

Space.ppc.elf New Fork (PID: 5524, Parent: 5510)

Space.ppc.elf New Fork (PID: 5526, Parent: 5510)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5510.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5512.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5514.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5524.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.ppc.elf PID: 5510	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x37d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x391:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3e1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x409:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x41d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x431:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x445:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x459:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x46d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x481:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x495:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4a9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4bd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4e5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x50d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.ppc.elf PID: 5512	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x9af8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.ppc.elf PID: 5514	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1b42:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b56:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b6a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b7e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1b92:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ba6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1bba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1bce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1be2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1bf6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c0a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c1e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c32:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c46:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c5a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c6e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c82:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1c96:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1caa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cbe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.ppc.elf PID: 5524	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xe4bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe4d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe4e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe4f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe50c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe520:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe534:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe548:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe55c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe570:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe584:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe598:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe5ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe5c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe5d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe5e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe5fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe610:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe624:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe638:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xe64c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Space.ppc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Space.ppc.elf	ReversingLabs: Detection: 55%
Source: Space.ppc.elf	Virustotal: Detection: 44%			Perma Link

Source: global traffic

TCP traffic: 192.168.2.13:36998 -> 154.216.20.216:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.20.216

Source: Space.ppc.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5510.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5512.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5514.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5524.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.ppc.elf PID: 5510, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.ppc.elf PID: 5512, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.ppc.elf PID: 5514, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.ppc.elf PID: 5524, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5510.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5512.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5514.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5524.1.00007fb6b8014000.00007fb6b8017000.rwx.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.ppc.elf PID: 5510, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.ppc.elf PID: 5512, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.ppc.elf PID: 5514, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.ppc.elf PID: 5524, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal68.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/238/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/239/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/240/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/3095/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/241/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/242/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/244/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/245/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/247/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1906/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/3420/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1482/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1480/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/371/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1238/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/134/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/3413/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/816/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.ppc.elf (PID: 5510)	File opened: /proc/3310/status	Jump to behavior

Source: Space.ppc.elf

Submission file: segment LOAD with 7.9641 entropy (max. 8.0)

Source: /tmp/Space.ppc.elf (PID: 5510)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.ppc.elf, 5510.1.00007fff19496000.00007fff194b7000.rw-.sdmp, Space.ppc.elf, 5512.1.00007fff19496000.00007fff194b7000.rw-.sdmp, Space.ppc.elf, 5514.1.00007fff19496000.00007fff194b7000.rw-.sdmp, Space.ppc.elf, 5524.1.00007fff19496000.00007fff194b7000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/Space.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.ppc.elf
Source: Space.ppc.elf, 5512.1.0000555bd54e9000.0000555bd5599000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: Space.ppc.elf, 5510.1.0000555bd54e9000.0000555bd55ba000.rw-.sdmp, Space.ppc.elf, 5514.1.0000555bd54e9000.0000555bd5599000.rw-.sdmp, Space.ppc.elf, 5524.1.0000555bd54e9000.0000555bd55ba000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: Space.ppc.elf, 5510.1.0000555bd54e9000.0000555bd55ba000.rw-.sdmp, Space.ppc.elf, 5512.1.0000555bd54e9000.0000555bd5599000.rw-.sdmp, Space.ppc.elf, 5514.1.0000555bd54e9000.0000555bd5599000.rw-.sdmp, Space.ppc.elf, 5524.1.0000555bd54e9000.0000555bd55ba000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: Space.ppc.elf, 5510.1.00007fff19496000.00007fff194b7000.rw-.sdmp, Space.ppc.elf, 5512.1.00007fff19496000.00007fff194b7000.rw-.sdmp, Space.ppc.elf, 5514.1.00007fff19496000.00007fff194b7000.rw-.sdmp, Space.ppc.elf, 5524.1.00007fff19496000.00007fff194b7000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.ppc.elf	55%	ReversingLabs	Linux.Trojan.Mirai
Space.ppc.elf	44%	Virustotal		Browse
Space.ppc.elf	100%	Avira	EXP/ELF.Agent.F.118

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.ppc.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.216.20.216	unknown	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
154.216.20.216	Space.sh4.elf	Get hash	malicious	Unknown	Browse
	Space.arm.elf	Get hash	malicious	Mirai	Browse
	Space.mips.elf	Get hash	malicious	Unknown	Browse
	Space.mpsl.elf	Get hash	malicious	Unknown	Browse
	Space.m68k.elf	Get hash	malicious	Mirai	Browse
	Space.i686.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	Space.sh4.elf	Get hash	malicious	Unknown	Browse	154.216.20.216
	Space.arm.elf	Get hash	malicious	Mirai	Browse	154.216.20.216
	Space.mips.elf	Get hash	malicious	Unknown	Browse	154.216.20.216
	Space.mpsl.elf	Get hash	malicious	Unknown	Browse	154.216.20.216
	Space.m68k.elf	Get hash	malicious	Mirai	Browse	154.216.20.216
	Space.i686.elf	Get hash	malicious	Unknown	Browse	154.216.20.216
	byte.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.138
	zerarm7.elf	Get hash	malicious	Unknown	Browse	154.216.16.250
	nabm68k.elf	Get hash	malicious	Unknown	Browse	154.216.16.244
	nabarm.elf	Get hash	malicious	Unknown	Browse	154.216.16.244

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.962020617687457
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Space.ppc.elf
File size:	40'324 bytes
MD5:	70bc1be9a01fd79070053f5005e3c122
SHA1:	274e5542793e02baebba0703b5079d1c5e1ae2a1
SHA256:	e816dad4e92610952308eba883fc24eb7cad4aea466d3b3985bdea229415ca3b
SHA512:	3e41f7dea5eafb5859f526b5cd12cbf076bbb27403dd70761acac2f83ec9565a340cb35d29a6004501d01771292484811c69130f30dafdca903dd84df350db5c
SSDEEP:	768:yrqQ4JXTPxcCj3do/vTKRVDkO1HmQcvbG+TqarjEP8o3OWAXPg4uVcqgw09L:uqQbCj3do/+fDrJ1cyUqOgkGA/g4u+qC
TLSH:	7B03E157CC895ED6EDFFD5621304CAE2F7E05A8DAF619CED245BCB06331E464520CA90
File Content Preview:	.ELF...........................4.........4. ...(.......................x...x..............k...k...k.................dt.Q................................UPX!..........b...b........V.......?.E.h4...@b........=.a....`..Y...j{.c.HL}.....H..z.q.H.....8ea......

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x108a90
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x100000	0x100000	0x9c78	0x9c78	7.9641	0x5	R E	0x10000
LOAD	0x6b90	0x10026b90	0x10026b90	0x0	0x0	0.0000	0x6	RW	0x10000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 25, 2024 11:30:34.258369923 CET	36998	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:34.378261089 CET	3778	36998	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:34.378365993 CET	36998	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:34.405945063 CET	36998	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:34.525580883 CET	3778	36998	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:34.525654078 CET	36998	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:34.645260096 CET	3778	36998	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:35.677001953 CET	3778	36998	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:35.677248001 CET	36998	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:35.677603960 CET	36998	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:35.678165913 CET	37000	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:35.797754049 CET	3778	37000	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:35.797858953 CET	37000	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:35.798672915 CET	37000	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:35.918241024 CET	3778	37000	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:35.918487072 CET	37000	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:36.037990093 CET	3778	37000	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:37.096070051 CET	3778	37000	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:37.096323967 CET	37000	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:37.096323967 CET	37000	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:37.097037077 CET	37002	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:37.218569994 CET	3778	37002	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:37.218771935 CET	37002	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:37.219568968 CET	37002	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:37.339119911 CET	3778	37002	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:37.339220047 CET	37002	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:37.458858967 CET	3778	37002	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:38.517512083 CET	3778	37002	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:38.517724037 CET	37002	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:38.517813921 CET	37002	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:38.518382072 CET	37004	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:38.637940884 CET	3778	37004	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:38.638133049 CET	37004	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:38.638875961 CET	37004	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:38.758465052 CET	3778	37004	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:38.758595943 CET	37004	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:38.878221989 CET	3778	37004	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:39.938294888 CET	3778	37004	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:39.938474894 CET	37004	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:39.938529968 CET	37004	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:39.939125061 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.043200016 CET	37008	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.058681011 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:40.058734894 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.099251032 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.163439035 CET	3778	37008	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:40.163527012 CET	37008	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.174027920 CET	37008	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.218924046 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:40.218966961 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.293636084 CET	3778	37008	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:40.293709993 CET	37008	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:40.338624001 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:40.413405895 CET	3778	37008	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:41.467581034 CET	3778	37008	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:41.467820883 CET	37008	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:41.468348026 CET	37008	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:41.469465971 CET	37010	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:41.588995934 CET	3778	37010	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:41.589138985 CET	37010	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:41.591195107 CET	37010	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:41.710858107 CET	3778	37010	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:41.711100101 CET	37010	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:41.830766916 CET	3778	37010	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:42.889763117 CET	3778	37010	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:42.889993906 CET	37010	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:42.889995098 CET	37010	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:42.890676975 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:43.010267973 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:43.010365009 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:43.011318922 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:43.130873919 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:43.131123066 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:43.250682116 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:50.109546900 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:50.229223967 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:50.530098915 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:50.530308962 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:53.021766901 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:30:53.141573906 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:53.442204952 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:30:53.442363977 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:31:50.582990885 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:31:50.702613115 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:31:51.003614902 CET	3778	37006	154.216.20.216	192.168.2.13
Dec 25, 2024 11:31:51.003818035 CET	37006	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:31:53.497941971 CET	37012	3778	192.168.2.13	154.216.20.216
Dec 25, 2024 11:31:53.617917061 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:31:53.918315887 CET	3778	37012	154.216.20.216	192.168.2.13
Dec 25, 2024 11:31:53.918600082 CET	37012	3778	192.168.2.13	154.216.20.216

System Behavior

Analysis Process: Space.ppc.elf PID: 5510, Parent PID: 5435

General

Start time (UTC):	10:30:32
Start date (UTC):	25/12/2024
Path:	/tmp/Space.ppc.elf
Arguments:	/tmp/Space.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5512, Parent PID: 5510

General

Start time (UTC):	10:30:32
Start date (UTC):	25/12/2024
Path:	/tmp/Space.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5514, Parent PID: 5512

General

Start time (UTC):	10:30:32
Start date (UTC):	25/12/2024
Path:	/tmp/Space.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5515, Parent PID: 5512

General

Start time (UTC):	10:30:32
Start date (UTC):	25/12/2024
Path:	/tmp/Space.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5524, Parent PID: 5510

General

Start time (UTC):	10:30:38
Start date (UTC):	25/12/2024
Path:	/tmp/Space.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5526, Parent PID: 5510

General

Start time (UTC):	10:30:38
Start date (UTC):	25/12/2024
Path:	/tmp/Space.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.ppc.elf PID: 5510, Parent PID: 5435

General

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5512, Parent PID: 5510

General

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5514, Parent PID: 5512

General

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5515, Parent PID: 5512

General

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5524, Parent PID: 5510

General

Chronological Activities

Analysis Process: Space.ppc.elf PID: 5526, Parent PID: 5510

General

Chronological Activities

Linux Analysis Report
Space.ppc.elf