Edit tour

Linux Analysis Report
Space.m68k.elf

Overview

General Information

Sample name:	Space.m68k.elf
Analysis ID:	1581300
MD5:	e9d24809ad9478e63a37c116ab4e15d4
SHA1:	c584f99e94efefea0cf4342632c2014a12d0d47d
SHA256:	2d0a0193b43ea9eadec11d3a16744ffefa7e8c8baae0f24b72ed761f3e20e1bb
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581300
Start date and time:	2024-12-27 10:37:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.m68k.elf
Detection:	MAL
Classification:	mal72.troj.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.m68k.elf
PID:	6250
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 6218, Parent: 4332)

rm (PID: 6218, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.U4kQztPbIV /tmp/tmp.eaYwXZIXVn /tmp/tmp.Uvg70fFH73

dash New Fork (PID: 6219, Parent: 4332)

cat (PID: 6219, Parent: 4332, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.U4kQztPbIV

dash New Fork (PID: 6220, Parent: 4332)

head (PID: 6220, Parent: 4332, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 6221, Parent: 4332)

tr (PID: 6221, Parent: 4332, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 6222, Parent: 4332)

cut (PID: 6222, Parent: 4332, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 6223, Parent: 4332)

cat (PID: 6223, Parent: 4332, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.U4kQztPbIV

dash New Fork (PID: 6224, Parent: 4332)

head (PID: 6224, Parent: 4332, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 6225, Parent: 4332)

tr (PID: 6225, Parent: 4332, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 6226, Parent: 4332)

cut (PID: 6226, Parent: 4332, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 6227, Parent: 4332)

rm (PID: 6227, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.U4kQztPbIV /tmp/tmp.eaYwXZIXVn /tmp/tmp.Uvg70fFH73

Space.m68k.elf (PID: 6250, Parent: 6148, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/Space.m68k.elf

Space.m68k.elf New Fork (PID: 6254, Parent: 6250)

Space.m68k.elf New Fork (PID: 6256, Parent: 6254)

Space.m68k.elf New Fork (PID: 6257, Parent: 6254)

Space.m68k.elf New Fork (PID: 6262, Parent: 6250)

Space.m68k.elf New Fork (PID: 6264, Parent: 6250)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Space.m68k.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Space.m68k.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
6254.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6254.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6262.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6262.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6250.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6250.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6256.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6256.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x151af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x151ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15213:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15227:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1523b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1524f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15263:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15277:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1528b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1529f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x152ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15303:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15317:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1532b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1533f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.m68k.elf PID: 6250	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.m68k.elf PID: 6250	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc554:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc57c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc590:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc61c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc66c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc6e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.m68k.elf PID: 6254	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.m68k.elf PID: 6254	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x18e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1923:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1937:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x194b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x195f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1973:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1987:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x199b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a13:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a27:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a3b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a4f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a63:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a77:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.m68k.elf PID: 6256	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.m68k.elf PID: 6256	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x867f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8693:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x86a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x86bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x86cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x86e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x86f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x870b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x871f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8733:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8747:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x875b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x876f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8783:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x8797:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x87ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x87bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x87d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x87e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x87fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x880f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.m68k.elf PID: 6262	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: Space.m68k.elf PID: 6262	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xb24d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb261:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb275:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb289:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb29d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb301:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb315:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb329:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb33d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb351:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb365:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb379:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb38d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3c9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb3dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Space.m68k.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: Space.m68k.elf	Virustotal: Detection: 61%			Perma Link
Source: Space.m68k.elf	ReversingLabs: Detection: 65%

Source: global traffic

TCP traffic: 192.168.2.23:53270 -> 159.100.18.129:3778

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: Space.m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6254.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6262.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6250.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6256.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.m68k.elf PID: 6250, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.m68k.elf PID: 6254, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.m68k.elf PID: 6256, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.m68k.elf PID: 6262, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: /proc/net/tcp.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc/proc/proc/%d/exe/proc/%s/statusName:%s/bin/busybox/bin/systemd/usr/bintest/tmp/condi/tmp/zxcr9999/tmp/condinetwork/var/condibot/var/zxcr9999/var/CondiBot/var/condinet/bin/watchdog159.100.18.129

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Space.m68k.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6254.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6262.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6250.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6256.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.m68k.elf PID: 6250, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.m68k.elf PID: 6254, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.m68k.elf PID: 6256, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.m68k.elf PID: 6262, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.troj.linELF@0/0@0/0

Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1582/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/3088/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1579/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1699/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1335/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1698/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1334/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1576/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/2302/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/910/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/912/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/2307/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/918/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1594/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1349/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1344/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1465/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1586/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1463/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1900/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/6257/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/491/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/6250/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1477/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/379/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1476/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/2208/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1809/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/1494/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/Space.m68k.elf (PID: 6250)	File opened: /proc/261/status	Jump to behavior

Source: /usr/bin/dash (PID: 6218)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.U4kQztPbIV /tmp/tmp.eaYwXZIXVn /tmp/tmp.Uvg70fFH73			Jump to behavior
Source: /usr/bin/dash (PID: 6227)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.U4kQztPbIV /tmp/tmp.eaYwXZIXVn /tmp/tmp.Uvg70fFH73			Jump to behavior

Source: /tmp/Space.m68k.elf (PID: 6250)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.m68k.elf, 6250.1.0000564b8c2f3000.0000564b8c37b000.rw-.sdmp, Space.m68k.elf, 6254.1.0000564b8c2f3000.0000564b8c357000.rw-.sdmp, Space.m68k.elf, 6256.1.0000564b8c2f3000.0000564b8c357000.rw-.sdmp, Space.m68k.elf, 6262.1.0000564b8c2f3000.0000564b8c37b000.rw-.sdmp	Binary or memory string: KV!/etc/qemu-binfmt/m68k
Source: Space.m68k.elf, 6250.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp, Space.m68k.elf, 6254.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp, Space.m68k.elf, 6256.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp, Space.m68k.elf, 6262.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: Space.m68k.elf, 6250.1.0000564b8c2f3000.0000564b8c37b000.rw-.sdmp, Space.m68k.elf, 6254.1.0000564b8c2f3000.0000564b8c357000.rw-.sdmp, Space.m68k.elf, 6256.1.0000564b8c2f3000.0000564b8c357000.rw-.sdmp, Space.m68k.elf, 6262.1.0000564b8c2f3000.0000564b8c37b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: Space.m68k.elf, 6250.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp, Space.m68k.elf, 6254.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp, Space.m68k.elf, 6256.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp, Space.m68k.elf, 6262.1.00007ffc926e0000.00007ffc92701000.rw-.sdmp	Binary or memory string: bx86_64/usr/bin/qemu-m68k/tmp/Space.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.m68k.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: Space.m68k.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6262.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6250.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6256.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6250, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6254, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6262, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: Space.m68k.elf, type: SAMPLE
Source: Yara match	File source: 6254.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6262.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6250.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6256.1.00007fb1ac001000.00007fb1ac019000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6250, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6254, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Space.m68k.elf PID: 6262, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.m68k.elf	62%	Virustotal		Browse
Space.m68k.elf	66%	ReversingLabs	Linux.Backdoor.Mirai
Space.m68k.elf	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.100.18.129	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
159.100.18.129	Space.x86.elf	Get hash	malicious	Unknown	Browse
	Space.ppc.elf	Get hash	malicious	Unknown	Browse
	Space.mips.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	Space.mips.elf	Get hash	malicious	Unknown	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	Space.mips.elf	Get hash	malicious	Unknown	Browse
	sh4.nn.elf	Get hash	malicious	Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	Space.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm6.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	Space.mips.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm6.nn.elf	Get hash	malicious	Okiru	Browse	185.125.190.26
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	91.189.91.42
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	RpcSecurity.arm7.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	RpcSecurity.ppc.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
INIT7CH	Space.mips.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	powerpc.nn.elf	Get hash	malicious	Okiru	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.mpsl.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	RpcSecurity.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	RpcSecurity.sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	db0fa4b8db0333367e9bda3ab68b8042.ppc.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
DE-FIRSTCOLOwwwfirst-colonetDE	Space.x86.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	Space.ppc.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	Space.mips.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	159.100.14.33-boatnet.arm-2024-12-25T14_31_19.elf	Get hash	malicious	Mirai	Browse	159.100.14.33

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.273520957499104
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Space.m68k.elf
File size:	97'552 bytes
MD5:	e9d24809ad9478e63a37c116ab4e15d4
SHA1:	c584f99e94efefea0cf4342632c2014a12d0d47d
SHA256:	2d0a0193b43ea9eadec11d3a16744ffefa7e8c8baae0f24b72ed761f3e20e1bb
SHA512:	234ebae1745d5759a842c2d36275ca13580c0003ca576328cd2447d745b01732a450fa785e8ccebd596e4fc2e04a16ea26cdaac1551b6b46e1b7d8557642560e
SSDEEP:	1536:BsSFA59vqiGWMD8JnwzV8/EqzabQeuacWjcW0JcWcBl473nipO4WlV/Nk31JFghR:WS6vqiZOJqGbQeuacWjcW0JcWcBS73nV
TLSH:	E29319C7F810ED7EF80BD67748A34D0E7671F2A00A930A326767BA67EC76195141BD82
File Content Preview:	.ELF.......................D...4..{......4. ...(......................x...x....... .......x............x..*....... .dt.Q............................NV..a....da...P N^NuNV..J9...@f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........@N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	97152
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x1504a	0x0	0x6	AX	4
.fini	PROGBITS	0x800150f2	0x150f2	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80015100	0x15100	0x27c3	0x0	0x2	A	2
.ctors	PROGBITS	0x800198c8	0x178c8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x800198d0	0x178d0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x800198dc	0x178dc	0x264	0x0	0x3	WA	4
.bss	NOBITS	0x80019b40	0x17b40	0x2818	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x17b40	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x178c3	0x178c3	6.2890	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x178c8	0x800198c8	0x800198c8	0x278	0x2a90	3.6517	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 10:38:19.803662062 CET	53270	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:19.923571110 CET	3778	53270	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:19.923660994 CET	53270	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:19.925319910 CET	53270	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:20.044950962 CET	3778	53270	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:20.045006990 CET	53270	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:20.164946079 CET	3778	53270	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:21.012923956 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 10:38:21.182344913 CET	3778	53270	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:21.182497025 CET	53270	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:21.182730913 CET	53270	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:21.183383942 CET	53272	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:21.302944899 CET	3778	53272	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:21.303181887 CET	53272	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:21.304229021 CET	53272	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:21.424932003 CET	3778	53272	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:21.425261021 CET	53272	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:21.545016050 CET	3778	53272	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:22.572072983 CET	3778	53272	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:22.572242975 CET	53272	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:22.572326899 CET	53272	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:22.572958946 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:22.692460060 CET	3778	53274	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:22.692568064 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:23.604743004 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:23.724273920 CET	3778	53274	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:23.724564075 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:23.725596905 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:23.845216990 CET	3778	53274	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:23.845513105 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:23.965286970 CET	3778	53274	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:24.984491110 CET	3778	53274	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:24.984678030 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:24.984745026 CET	53274	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:24.985379934 CET	53276	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.105096102 CET	3778	53276	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:25.105245113 CET	53276	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.106019974 CET	53276	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.225667953 CET	3778	53276	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:25.225833893 CET	53276	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.345727921 CET	3778	53276	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:25.480962038 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.600503922 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:25.600586891 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.603364944 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.722973108 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:25.723131895 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:25.842917919 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:26.388262033 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 10:38:26.413904905 CET	3778	53276	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:26.414230108 CET	53276	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:26.414230108 CET	53276	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:26.414854050 CET	53280	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:26.534427881 CET	3778	53280	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:26.534759045 CET	53280	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:26.535573006 CET	53280	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:26.655297995 CET	3778	53280	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:26.655564070 CET	53280	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:26.775360107 CET	3778	53280	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:27.896032095 CET	3778	53280	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:27.896192074 CET	53280	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:27.896262884 CET	53280	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:27.896748066 CET	53282	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:28.017811060 CET	3778	53282	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:28.018062115 CET	53282	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:28.019329071 CET	53282	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:28.138901949 CET	3778	53282	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:28.139230967 CET	53282	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:28.179847002 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 10:38:28.259032965 CET	3778	53282	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:29.369894028 CET	3778	53282	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:29.370285034 CET	53282	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:29.370285034 CET	53282	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:29.370691061 CET	53284	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:29.490312099 CET	3778	53284	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:29.490659952 CET	53284	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:29.491714001 CET	53284	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:29.611264944 CET	3778	53284	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:29.611536980 CET	53284	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:29.731483936 CET	3778	53284	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:30.795720100 CET	3778	53284	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:30.796046019 CET	53284	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:30.796046019 CET	53284	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:30.796627998 CET	53286	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:30.916276932 CET	3778	53286	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:30.916512966 CET	53286	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:30.917504072 CET	53286	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:31.037092924 CET	3778	53286	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:31.037425995 CET	53286	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:31.157375097 CET	3778	53286	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:32.221843958 CET	3778	53286	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:32.222357035 CET	53286	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:32.222357988 CET	53286	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:32.222943068 CET	53288	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:32.342550039 CET	3778	53288	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:32.342681885 CET	53288	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:32.343638897 CET	53288	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:32.463181973 CET	3778	53288	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:32.463368893 CET	53288	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:32.583132982 CET	3778	53288	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:33.658349037 CET	3778	53288	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:33.658689976 CET	53288	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:33.658689976 CET	53288	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:33.659305096 CET	53290	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:33.778810024 CET	3778	53290	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:33.779004097 CET	53290	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:33.780005932 CET	53290	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:33.899655104 CET	3778	53290	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:33.900114059 CET	53290	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:34.019933939 CET	3778	53290	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:35.083756924 CET	3778	53290	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:35.084197998 CET	53290	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.084296942 CET	53290	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.085397959 CET	53292	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.205353975 CET	3778	53292	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:35.205514908 CET	53292	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.206445932 CET	53292	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.326031923 CET	3778	53292	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:35.326167107 CET	53292	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.445842981 CET	3778	53292	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:35.612739086 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:35.732513905 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:36.018551111 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:36.018692017 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.464998960 CET	3778	53292	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:36.465368032 CET	53292	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.465466022 CET	53292	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.466315031 CET	53294	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.585902929 CET	3778	53294	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:36.586206913 CET	53294	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.587677002 CET	53294	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.707248926 CET	3778	53294	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:36.707592964 CET	53294	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:36.827383041 CET	3778	53294	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:37.892093897 CET	3778	53294	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:37.892608881 CET	53294	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:37.892608881 CET	53294	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:37.893258095 CET	53296	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:38.012784004 CET	3778	53296	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:38.013048887 CET	53296	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:38.014297009 CET	53296	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:38.134310007 CET	3778	53296	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:38.134500980 CET	53296	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:38.254379988 CET	3778	53296	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:39.353497028 CET	3778	53296	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:39.353653908 CET	53296	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:39.353688955 CET	53296	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:39.354295015 CET	53298	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:39.473885059 CET	3778	53298	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:39.474061012 CET	53298	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:39.475403070 CET	53298	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:39.595031977 CET	3778	53298	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:39.595308065 CET	53298	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:39.715003967 CET	3778	53298	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:40.733174086 CET	3778	53298	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:40.733455896 CET	53298	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:40.733455896 CET	53298	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:40.734303951 CET	53300	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:40.853857040 CET	3778	53300	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:40.854125977 CET	53300	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:40.855555058 CET	53300	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:40.975296974 CET	3778	53300	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:40.975578070 CET	53300	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:41.095323086 CET	3778	53300	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:42.161026001 CET	3778	53300	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:42.161289930 CET	53300	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:42.161381960 CET	53300	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:42.162393093 CET	53302	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:42.281948090 CET	3778	53302	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:42.282083988 CET	53302	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:42.283330917 CET	53302	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:42.402822971 CET	3778	53302	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:42.403053999 CET	53302	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:42.514044046 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 10:38:42.522733927 CET	3778	53302	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:43.632903099 CET	3778	53302	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:43.633160114 CET	53302	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:43.633407116 CET	53302	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:43.634252071 CET	53304	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:43.753865957 CET	3778	53304	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:43.754229069 CET	53304	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:43.755610943 CET	53304	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:43.875171900 CET	3778	53304	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:43.875677109 CET	53304	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:43.995392084 CET	3778	53304	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:45.013676882 CET	3778	53304	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:45.014002085 CET	53304	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:45.014002085 CET	53304	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:45.014916897 CET	53306	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:45.134641886 CET	3778	53306	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:45.134978056 CET	53306	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:45.136488914 CET	53306	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:45.256217957 CET	3778	53306	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:45.256599903 CET	53306	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:45.376559019 CET	3778	53306	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:46.487649918 CET	3778	53306	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:46.487890005 CET	53306	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:46.488032103 CET	53306	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:46.488673925 CET	53308	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:46.608567953 CET	3778	53308	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:46.609098911 CET	53308	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:46.610074043 CET	53308	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:46.729657888 CET	3778	53308	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:46.730005980 CET	53308	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:46.849917889 CET	3778	53308	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:47.960997105 CET	3778	53308	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:47.961231947 CET	53308	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:47.961338997 CET	53308	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:47.962249041 CET	53310	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:48.081861973 CET	3778	53310	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:48.082201958 CET	53310	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:48.083241940 CET	53310	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:48.202672005 CET	3778	53310	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:48.202833891 CET	53310	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:48.322354078 CET	3778	53310	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:49.341661930 CET	3778	53310	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:49.341918945 CET	53310	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:49.341990948 CET	53310	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:49.342539072 CET	53312	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:49.462156057 CET	3778	53312	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:49.462274075 CET	53312	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:49.463123083 CET	53312	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:49.582743883 CET	3778	53312	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:49.582839966 CET	53312	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:49.702277899 CET	3778	53312	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:50.766973972 CET	3778	53312	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:50.767115116 CET	53312	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:50.767215967 CET	53312	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:50.767760992 CET	53314	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:50.888186932 CET	3778	53314	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:50.888442993 CET	53314	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:50.889380932 CET	53314	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:51.008869886 CET	3778	53314	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:51.009052992 CET	53314	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:51.128586054 CET	3778	53314	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:52.193523884 CET	3778	53314	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:52.193680048 CET	53314	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:52.193886995 CET	53314	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:52.194394112 CET	53316	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:52.313895941 CET	3778	53316	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:52.314033985 CET	53316	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:52.315053940 CET	53316	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:52.435075998 CET	3778	53316	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:52.435230970 CET	53316	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:52.554991961 CET	3778	53316	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:52.752530098 CET	42836	443	192.168.2.23	91.189.91.43
Dec 27, 2024 10:38:53.619612932 CET	3778	53316	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:53.619752884 CET	53316	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:53.619812965 CET	53316	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:53.620532036 CET	53318	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:53.740364075 CET	3778	53318	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:53.740469933 CET	53318	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:53.741202116 CET	53318	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:53.860670090 CET	3778	53318	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:53.860752106 CET	53318	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:53.980261087 CET	3778	53318	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:55.010763884 CET	3778	53318	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:55.010912895 CET	53318	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:55.010958910 CET	53318	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:55.011717081 CET	53320	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:55.131242990 CET	3778	53320	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:55.131370068 CET	53320	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:55.132230997 CET	53320	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:55.251657009 CET	3778	53320	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:55.251714945 CET	53320	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:55.371437073 CET	3778	53320	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:56.390110970 CET	3778	53320	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:56.390305996 CET	53320	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:56.390351057 CET	53320	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:56.390811920 CET	53322	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:56.510317087 CET	3778	53322	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:56.510446072 CET	53322	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:56.511331081 CET	53322	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:56.630736113 CET	3778	53322	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:56.631002903 CET	53322	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:56.750524998 CET	3778	53322	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:57.815735102 CET	3778	53322	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:57.815877914 CET	53322	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:57.815907955 CET	53322	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:57.817060947 CET	53324	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:57.936669111 CET	3778	53324	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:57.936772108 CET	53324	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:57.937618971 CET	53324	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:58.057121992 CET	3778	53324	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:58.057260036 CET	53324	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:58.176893950 CET	3778	53324	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:58.895612001 CET	42516	80	192.168.2.23	109.202.202.202
Dec 27, 2024 10:38:59.288741112 CET	3778	53324	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:59.288964033 CET	53324	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:59.289068937 CET	53324	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:59.289558887 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:59.409010887 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:59.409147978 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:59.410033941 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:59.529586077 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:38:59.529723883 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:38:59.649379015 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:39:09.418795109 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:39:09.538570881 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:39:09.828351974 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:39:09.828461885 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:39:23.468225956 CET	43928	443	192.168.2.23	91.189.91.42
Dec 27, 2024 10:39:36.070563078 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:39:36.190032005 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:39:36.476670027 CET	3778	53278	159.100.18.129	192.168.2.23
Dec 27, 2024 10:39:36.476766109 CET	53278	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:40:09.877587080 CET	53326	3778	192.168.2.23	159.100.18.129
Dec 27, 2024 10:40:09.998771906 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:40:10.289330006 CET	3778	53326	159.100.18.129	192.168.2.23
Dec 27, 2024 10:40:10.289628029 CET	53326	3778	192.168.2.23	159.100.18.129

System Behavior

Analysis Process: dash PID: 6218, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6218, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.U4kQztPbIV /tmp/tmp.eaYwXZIXVn /tmp/tmp.Uvg70fFH73
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 6219, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 6219, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.U4kQztPbIV
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 6220, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 6220, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 6221, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 6221, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 6222, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 6222, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 6223, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 6223, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.U4kQztPbIV
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 6224, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 6224, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 6225, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 6225, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 6226, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 6226, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 6227, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 6227, Parent PID: 4332

General

Start time (UTC):	09:38:15
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.U4kQztPbIV /tmp/tmp.eaYwXZIXVn /tmp/tmp.Uvg70fFH73
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: Space.m68k.elf PID: 6250, Parent PID: 6148

General

Start time (UTC):	09:38:18
Start date (UTC):	27/12/2024
Path:	/tmp/Space.m68k.elf
Arguments:	/tmp/Space.m68k.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: Space.m68k.elf PID: 6254, Parent PID: 6250

General

Start time (UTC):	09:38:18
Start date (UTC):	27/12/2024
Path:	/tmp/Space.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: Space.m68k.elf PID: 6256, Parent PID: 6254

General

Start time (UTC):	09:38:18
Start date (UTC):	27/12/2024
Path:	/tmp/Space.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: Space.m68k.elf PID: 6257, Parent PID: 6254

General

Start time (UTC):	09:38:18
Start date (UTC):	27/12/2024
Path:	/tmp/Space.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: Space.m68k.elf PID: 6262, Parent PID: 6250

General

Start time (UTC):	09:38:24
Start date (UTC):	27/12/2024
Path:	/tmp/Space.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: Space.m68k.elf PID: 6264, Parent PID: 6250

General

Start time (UTC):	09:38:24
Start date (UTC):	27/12/2024
Path:	/tmp/Space.m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.m68k.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 6218, Parent PID: 4332

General

Chronological Activities

Analysis Process: rm PID: 6218, Parent PID: 4332

General

Chronological Activities

Analysis Process: dash PID: 6219, Parent PID: 4332

General

Chronological Activities

Analysis Process: cat PID: 6219, Parent PID: 4332

General

Chronological Activities

Analysis Process: dash PID: 6220, Parent PID: 4332

General

Chronological Activities

Analysis Process: head PID: 6220, Parent PID: 4332

General

Chronological Activities

Analysis Process: dash PID: 6221, Parent PID: 4332

General

Chronological Activities

Analysis Process: tr PID: 6221, Parent PID: 4332

Linux Analysis Report
Space.m68k.elf