Edit tour

Linux Analysis Report
Space.arm6.elf

Overview

General Information

Sample name:	Space.arm6.elf
Analysis ID:	1581306
MD5:	bb3c48fea88d7abc045efff46b5d96e6
SHA1:	446c06b0671e4324aee88035b2b07895a1853111
SHA256:	6644ed14ccced606696f94783b0ae1eb8e66ddf691c8b2a80f189b2dda400c25
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581306
Start date and time:	2024-12-27 10:42:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.arm6.elf
Detection:	MAL
Classification:	mal60.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.arm6.elf
PID:	5515
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.arm6.elf (PID: 5515, Parent: 5442, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Space.arm6.elf

Space.arm6.elf New Fork (PID: 5517, Parent: 5515)

Space.arm6.elf New Fork (PID: 5519, Parent: 5517)

Space.arm6.elf New Fork (PID: 5521, Parent: 5517)

Space.arm6.elf New Fork (PID: 5533, Parent: 5515)

Space.arm6.elf New Fork (PID: 5535, Parent: 5515)

dash New Fork (PID: 5565, Parent: 3673)

rm (PID: 5565, Parent: 3673, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.BtSwAwO5NR /tmp/tmp.PWnM8nXojD /tmp/tmp.7F3amuIALQ

dash New Fork (PID: 5566, Parent: 3673)

cat (PID: 5566, Parent: 3673, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.BtSwAwO5NR

dash New Fork (PID: 5567, Parent: 3673)

head (PID: 5567, Parent: 3673, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5568, Parent: 3673)

tr (PID: 5568, Parent: 3673, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5569, Parent: 3673)

cut (PID: 5569, Parent: 3673, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5570, Parent: 3673)

cat (PID: 5570, Parent: 3673, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.BtSwAwO5NR

dash New Fork (PID: 5571, Parent: 3673)

head (PID: 5571, Parent: 3673, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5572, Parent: 3673)

tr (PID: 5572, Parent: 3673, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5573, Parent: 3673)

cut (PID: 5573, Parent: 3673, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5574, Parent: 3673)

rm (PID: 5574, Parent: 3673, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.BtSwAwO5NR /tmp/tmp.PWnM8nXojD /tmp/tmp.7F3amuIALQ

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5517.1.00007f08f8017000.00007f08f802f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5519.1.00007f08f8017000.00007f08f802f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5515.1.00007f08f8017000.00007f08f802f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5533.1.00007f08f8017000.00007f08f802f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm6.elf PID: 5515	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1597b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1598f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x159a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x159b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x159cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x159df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x159f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a07:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a1b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a2f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a43:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a57:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a6b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a7f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15a93:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15aa7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15abb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15acf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15ae3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15af7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15b0b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm6.elf PID: 5517	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x9ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xab4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xac8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xadc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm6.elf PID: 5519	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x102a2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102b6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102ca:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102de:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x102f2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10306:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1031a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1032e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10342:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10356:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1036a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1037e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10392:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1040a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1041e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10432:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm6.elf PID: 5533	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14838:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1484c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14860:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14874:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14888:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1489c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x148b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x148c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x148d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x148ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14900:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14914:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14928:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1493c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14950:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14964:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14978:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1498c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x149a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x149b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x149c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Space.arm6.elf	Virustotal: Detection: 41%			Perma Link
Source: Space.arm6.elf	ReversingLabs: Detection: 44%

Source: unknown

HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.15:49566 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.15:39306 -> 159.100.18.129:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129
Source: unknown	TCP traffic detected without corresponding DNS query: 159.100.18.129

Source: Space.arm6.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49566

Source: unknown

HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.15:49566 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5517.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5519.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5515.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5533.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5515, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5517, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5533, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x8000

Source: 5517.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5519.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5515.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5533.1.00007f08f8017000.00007f08f802f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5515, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5517, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5519, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5533, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1333/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1695/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/911/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1591/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1585/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/804/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3407/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1484/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/133/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1479/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/931/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1595/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/812/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/933/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3419/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3673/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3310/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/262/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/142/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/263/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/264/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/265/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/145/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/266/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/267/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/268/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3303/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/269/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1486/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/1806/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3669/status	Jump to behavior
Source: /tmp/Space.arm6.elf (PID: 5515)	File opened: /proc/3440/status	Jump to behavior

Source: /usr/bin/dash (PID: 5565)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BtSwAwO5NR /tmp/tmp.PWnM8nXojD /tmp/tmp.7F3amuIALQ			Jump to behavior
Source: /usr/bin/dash (PID: 5574)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.BtSwAwO5NR /tmp/tmp.PWnM8nXojD /tmp/tmp.7F3amuIALQ			Jump to behavior

Source: Space.arm6.elf

Submission file: segment LOAD with 7.9738 entropy (max. 8.0)

Source: /tmp/Space.arm6.elf (PID: 5515)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.arm6.elf, 5515.1.0000558759c8d000.0000558759e7b000.rw-.sdmp, Space.arm6.elf, 5517.1.0000558759c8d000.0000558759e7b000.rw-.sdmp, Space.arm6.elf, 5519.1.0000558759c8d000.0000558759e7b000.rw-.sdmp, Space.arm6.elf, 5533.1.0000558759c8d000.0000558759e7b000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: Space.arm6.elf, 5515.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp, Space.arm6.elf, 5517.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp, Space.arm6.elf, 5519.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp, Space.arm6.elf, 5533.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Space.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.arm6.elf
Source: Space.arm6.elf, 5515.1.0000558759c8d000.0000558759e7b000.rw-.sdmp, Space.arm6.elf, 5517.1.0000558759c8d000.0000558759e7b000.rw-.sdmp, Space.arm6.elf, 5519.1.0000558759c8d000.0000558759e7b000.rw-.sdmp, Space.arm6.elf, 5533.1.0000558759c8d000.0000558759e7b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: Space.arm6.elf, 5515.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp, Space.arm6.elf, 5517.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp, Space.arm6.elf, 5519.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp, Space.arm6.elf, 5533.1.00007ffda36d4000.00007ffda36f5000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.arm6.elf	41%	Virustotal		Browse
Space.arm6.elf	45%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.arm6.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.217.10.153	unknown	United States		16509	AMAZON-02US	false
159.100.18.129	unknown	Germany		44066	DE-FIRSTCOLOwwwfirst-colonetDE	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.217.10.153	RpcSecurity.mips.elf	Get hash	malicious	Unknown	Browse
	mips64.elf	Get hash	malicious	Mirai	Browse
	Space.ppc.elf	Get hash	malicious	Mirai	Browse
	.5r3fqt67ew531has4231.mpsl.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse
	loligang.arm5.elf	Get hash	malicious	Mirai	Browse
	vqsjh4.elf	Get hash	malicious	Mirai	Browse
	x-3.2-.ISIS.elf	Get hash	malicious	Gafgyt	Browse
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse
159.100.18.129	Space.mpsl.elf	Get hash	malicious	Unknown	Browse
	Space.x86_64.elf	Get hash	malicious	Unknown	Browse
	Space.m68k.elf	Get hash	malicious	Mirai	Browse
	Space.x86.elf	Get hash	malicious	Unknown	Browse
	Space.ppc.elf	Get hash	malicious	Unknown	Browse
	Space.mips.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DE-FIRSTCOLOwwwfirst-colonetDE	Space.mpsl.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	Space.x86_64.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	Space.m68k.elf	Get hash	malicious	Mirai	Browse	159.100.18.129
	Space.x86.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	Space.ppc.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	Space.mips.elf	Get hash	malicious	Unknown	Browse	159.100.18.129
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	159.100.14.33
AMAZON-02US	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	52.53.112.200
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	52.53.112.200
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	52.53.112.200
	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Get hash	malicious	Unknown	Browse	52.53.112.200
	sh4.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	35.73.111.15
	mipsel.nn.elf	Get hash	malicious	Okiru	Browse	54.171.230.55
	5935c1f1a7da8e42028da77013b80635afdd605866569.exe	Get hash	malicious	Unknown	Browse	18.167.52.240
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	18.238.49.124
	http://www.finanzamthessen.de	Get hash	malicious	Unknown	Browse	54.75.69.192

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.9721474862994395
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	Space.arm6.elf
File size:	44'600 bytes
MD5:	bb3c48fea88d7abc045efff46b5d96e6
SHA1:	446c06b0671e4324aee88035b2b07895a1853111
SHA256:	6644ed14ccced606696f94783b0ae1eb8e66ddf691c8b2a80f189b2dda400c25
SHA512:	bf62f7e7be38e7fbc7aadd4b1229387fc8d7e6fb12dec5807dff4251e4917def5ddaa777c4b7e982eaaa6819c368925abbc2ca898e15c09962ac503e984684d6
SSDEEP:	768:EnZOKj8x/QSQ3y/4qFTOdeoJWBhdYnjWcBWDW4s5GyZDa6XXbgub49q3UELF:yXwQSYPqFHI8rOjBn4+9DXZhLF
TLSH:	4F13F191CE067E93DC523E77EFA8958F43188EF5C27A2313AA2805BC5D93740E5E8587
File Content Preview:	.ELF..............(.........4...........4. ...(.........................................H...H...H...................Q.td...............................OUPX!...................._..........?.E.h;....#..$.......L..T.\|..r.F..ZS..n.8.I+.e......rQN..D....I.:#/.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x11b00
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0xaced	0xaced	7.9738	0x5	R E	0x8000
LOAD	0xb48	0x20b48	0x20b48	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 10:43:26.291433096 CET	39306	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:26.411133051 CET	3778	39306	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:26.411192894 CET	39306	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:26.427452087 CET	39306	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:26.547122002 CET	3778	39306	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:26.547184944 CET	39306	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:26.666939020 CET	3778	39306	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:27.717999935 CET	3778	39306	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:27.718493938 CET	39306	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:27.718493938 CET	39306	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:27.722033024 CET	39308	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:27.841640949 CET	3778	39308	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:27.842077971 CET	39308	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:27.843966961 CET	39308	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:27.963556051 CET	3778	39308	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:27.963963032 CET	39308	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:28.083652020 CET	3778	39308	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:29.147811890 CET	3778	39308	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:29.147998095 CET	39308	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:29.148072958 CET	39308	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:29.148812056 CET	39310	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:29.268423080 CET	3778	39310	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:29.268531084 CET	39310	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:29.269634962 CET	39310	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:29.389209032 CET	3778	39310	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:29.389337063 CET	39310	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:29.509049892 CET	3778	39310	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:30.528898954 CET	3778	39310	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:30.529115915 CET	39310	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:30.529227018 CET	39310	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:30.529968977 CET	39312	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:30.649630070 CET	3778	39312	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:30.649816036 CET	39312	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:30.651041985 CET	39312	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:30.770550966 CET	3778	39312	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:30.770713091 CET	39312	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:30.890355110 CET	3778	39312	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:31.954695940 CET	3778	39312	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:31.954855919 CET	39312	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:31.954914093 CET	39312	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:31.955581903 CET	39314	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.023703098 CET	39316	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.075093985 CET	3778	39314	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:32.075154066 CET	39314	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.085071087 CET	39314	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.143568039 CET	3778	39316	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:32.143650055 CET	39316	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.151222944 CET	39316	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.204735994 CET	3778	39314	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:32.204794884 CET	39314	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.270744085 CET	3778	39316	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:32.270803928 CET	39316	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:32.324739933 CET	3778	39314	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:32.390427113 CET	3778	39316	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.380239010 CET	3778	39314	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.380520105 CET	39314	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.380520105 CET	39314	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.381588936 CET	39318	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.402724981 CET	3778	39316	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.403069973 CET	39316	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.403069973 CET	39316	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.408412933 CET	39320	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.501306057 CET	3778	39318	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.501630068 CET	39318	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.503570080 CET	39318	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.528242111 CET	3778	39320	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.528476000 CET	39320	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.532761097 CET	39320	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.623328924 CET	3778	39318	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.623591900 CET	39318	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.652569056 CET	3778	39320	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.653754950 CET	39320	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:33.743133068 CET	3778	39318	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:33.773569107 CET	3778	39320	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:34.808548927 CET	3778	39318	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:34.808685064 CET	39318	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.808737040 CET	39318	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.809266090 CET	39322	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.881520987 CET	3778	39320	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:34.881669998 CET	39320	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.881736994 CET	39320	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.882220984 CET	39324	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.929044008 CET	3778	39322	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:34.929169893 CET	39322	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:34.930229902 CET	39322	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:35.001921892 CET	3778	39324	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:35.002159119 CET	39324	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:35.003673077 CET	39324	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:35.049927950 CET	3778	39322	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:35.050151110 CET	39322	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:35.123496056 CET	3778	39324	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:35.123652935 CET	39324	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:35.169918060 CET	3778	39322	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:35.243757963 CET	3778	39324	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.280612946 CET	3778	39322	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.280772924 CET	39322	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.280838013 CET	39322	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.281428099 CET	39326	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.307311058 CET	3778	39324	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.307535887 CET	39324	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.307585001 CET	39324	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.307976007 CET	39328	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.401210070 CET	3778	39326	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.401417971 CET	39326	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.402453899 CET	39326	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.427620888 CET	3778	39328	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.427719116 CET	39328	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.428628922 CET	39328	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.522095919 CET	3778	39326	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.522258997 CET	39326	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.548392057 CET	3778	39328	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.548523903 CET	39328	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:36.642108917 CET	3778	39326	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:36.668292046 CET	3778	39328	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:37.707727909 CET	3778	39326	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:37.708091974 CET	39326	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.708091974 CET	39326	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.708622932 CET	39330	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.733501911 CET	3778	39328	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:37.733607054 CET	39328	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.733772039 CET	39328	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.734031916 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.828195095 CET	3778	39330	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:37.828393936 CET	39330	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.829262018 CET	39330	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.853727102 CET	3778	39332	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:37.853799105 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:37.948769093 CET	3778	39330	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:37.948877096 CET	39330	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:38.068604946 CET	3778	39330	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:38.764564037 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:38.884327888 CET	3778	39332	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:38.884535074 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:38.885838032 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.005331039 CET	3778	39332	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:39.005568027 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.125478029 CET	3778	39332	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:39.180284023 CET	3778	39330	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:39.180567026 CET	39330	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.180567026 CET	39330	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.181222916 CET	39334	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.300687075 CET	3778	39334	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:39.300822020 CET	39334	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.301728010 CET	39334	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.421266079 CET	3778	39334	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:39.421490908 CET	39334	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:39.541060925 CET	3778	39334	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.190011978 CET	3778	39332	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.190304041 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.190304041 CET	39332	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.190887928 CET	39336	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.310502052 CET	3778	39336	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.310621023 CET	39336	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.311578989 CET	39336	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.431113005 CET	3778	39336	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.431286097 CET	39336	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.551079988 CET	3778	39336	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.715974092 CET	3778	39334	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.716191053 CET	39334	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.716191053 CET	39334	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.716923952 CET	39338	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.836441040 CET	3778	39338	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.836661100 CET	39338	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.837634087 CET	39338	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:40.957160950 CET	3778	39338	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:40.957345963 CET	39338	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:41.076884031 CET	3778	39338	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:41.662226915 CET	3778	39336	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:41.662544966 CET	39336	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:41.662545919 CET	39336	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:41.663654089 CET	39340	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:41.783282042 CET	3778	39340	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:41.783550978 CET	39340	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:41.785052061 CET	39340	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:41.905738115 CET	3778	39340	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:41.905919075 CET	39340	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.027124882 CET	3778	39340	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:42.096610069 CET	3778	39338	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:42.096834898 CET	39338	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.096923113 CET	39338	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.098114014 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.217699051 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:42.217947006 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.219651937 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.339286089 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:42.339441061 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:42.459095001 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:43.090094090 CET	3778	39340	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:43.090399981 CET	39340	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:43.090569019 CET	39340	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:43.091352940 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:43.211158991 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:43.211349964 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:43.212625027 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:43.332062006 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:43.332262993 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:43.451838970 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:51.677031040 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:51.677076101 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:51.677088976 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:51.677370071 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:51.677370071 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:51.678138018 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:51.797724009 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:52.082470894 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:52.082592010 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:52.082874060 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:52.202366114 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:52.229655027 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:52.349376917 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:52.636732101 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:52.637068987 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:52.638556957 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:52.641287088 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:52.641360044 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:52.758557081 CET	443	49566	54.217.10.153	192.168.2.15
Dec 27, 2024 10:43:52.758605957 CET	49566	443	192.168.2.15	54.217.10.153
Dec 27, 2024 10:43:53.223107100 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:43:53.342941999 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:53.633148909 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:43:53.633622885 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:44:52.692687988 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:44:52.812427044 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:44:53.102745056 CET	3778	39342	159.100.18.129	192.168.2.15
Dec 27, 2024 10:44:53.102890015 CET	39342	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:44:53.679754972 CET	39344	3778	192.168.2.15	159.100.18.129
Dec 27, 2024 10:44:53.799447060 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:44:54.089626074 CET	3778	39344	159.100.18.129	192.168.2.15
Dec 27, 2024 10:44:54.089899063 CET	39344	3778	192.168.2.15	159.100.18.129

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 27, 2024 10:43:51.677088976 CET	54.217.10.153	443	192.168.2.15	49566	CN=motd.ubuntu.com CN=R11, O=Let's Encrypt, C=US	CN=R11, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	Mon Oct 21 10:21:37 CEST 2024 Wed Mar 13 01:00:00 CET 2024	Sun Jan 19 09:21:36 CET 2025 Sat Mar 13 00:59:59 CET 2027
Dec 27, 2024 10:43:51.677088976 CET	54.217.10.153	443	192.168.2.15	49566	CN=R11, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Wed Mar 13 01:00:00 CET 2024	Sat Mar 13 00:59:59 CET 2027

System Behavior

Analysis Process: Space.arm6.elf PID: 5515, Parent PID: 5442

General

Start time (UTC):	09:43:24
Start date (UTC):	27/12/2024
Path:	/tmp/Space.arm6.elf
Arguments:	/tmp/Space.arm6.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5517, Parent PID: 5515

General

Start time (UTC):	09:43:24
Start date (UTC):	27/12/2024
Path:	/tmp/Space.arm6.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5519, Parent PID: 5517

General

Start time (UTC):	09:43:24
Start date (UTC):	27/12/2024
Path:	/tmp/Space.arm6.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5521, Parent PID: 5517

General

Start time (UTC):	09:43:24
Start date (UTC):	27/12/2024
Path:	/tmp/Space.arm6.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5533, Parent PID: 5515

General

Start time (UTC):	09:43:30
Start date (UTC):	27/12/2024
Path:	/tmp/Space.arm6.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5535, Parent PID: 5515

General

Start time (UTC):	09:43:30
Start date (UTC):	27/12/2024
Path:	/tmp/Space.arm6.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: dash PID: 5565, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5565, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.BtSwAwO5NR /tmp/tmp.PWnM8nXojD /tmp/tmp.7F3amuIALQ
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5566, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5566, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.BtSwAwO5NR
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 5567, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 5567, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 5568, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 5568, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 5569, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 5569, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 5570, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cat PID: 5570, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.BtSwAwO5NR
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Chronological Activities

Analysis Process: dash PID: 5571, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: head PID: 5571, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Chronological Activities

Analysis Process: dash PID: 5572, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: tr PID: 5572, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Chronological Activities

Analysis Process: dash PID: 5573, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cut PID: 5573, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Chronological Activities

Analysis Process: dash PID: 5574, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5574, Parent PID: 3673

General

Start time (UTC):	09:43:51
Start date (UTC):	27/12/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.BtSwAwO5NR /tmp/tmp.PWnM8nXojD /tmp/tmp.7F3amuIALQ
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.arm6.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTPS Connections

System Behavior

Analysis Process: Space.arm6.elf PID: 5515, Parent PID: 5442

General

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5517, Parent PID: 5515

General

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5519, Parent PID: 5517

General

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5521, Parent PID: 5517

General

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5533, Parent PID: 5515

General

Chronological Activities

Analysis Process: Space.arm6.elf PID: 5535, Parent PID: 5515

General

Chronological Activities

Analysis Process: dash PID: 5565, Parent PID: 3673

General

Linux Analysis Report
Space.arm6.elf