Edit tour

Linux Analysis Report
arm5.elf

Overview

General Information

Sample name:	arm5.elf
Analysis ID:	1581669
MD5:	95807db3d7d48c3c8c954410cba6c6f2
SHA1:	7a4c83cf4ab4b08989d193dd33e708b47c877605
SHA256:	59421e1184689e49ed4ad0fb4c9573d7dcb1cabd338ac6c816e17980776925bd
Tags:	elfuser-abuse_ch
Infos:

Detection

Gafgyt

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Gafgyt

Executes the "iptables" command to insert, remove and/or manipulate rules

Sample is packed with UPX

Sample tries to kill multiple processes (SIGKILL)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581669
Start date and time:	2024-12-28 14:51:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm5.elf
Detection:	MAL
Classification:	mal68.spre.troj.evad.linELF@0/0@24/0

Warnings

Connection to analysis system has been lost, crash info: Unknown
VT rate limit hit for: SECURE-NETWORK-REBIRTHLTD.RU

Runtime Messages

Command:	/tmp/arm5.elf
PID:	6224
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	listening dn0
Standard Error:

Process Tree

system is lnxubuntu20

arm5.elf (PID: 6224, Parent: 6139, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.elf

arm5.elf New Fork (PID: 6227, Parent: 6224)

arm5.elf New Fork (PID: 6229, Parent: 6227)

arm5.elf New Fork (PID: 6441, Parent: 6227)

arm5.elf New Fork (PID: 6443, Parent: 6441)

sh (PID: 6443, Parent: 6441, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

sh New Fork (PID: 6449, Parent: 6443)

iptables (PID: 6449, Parent: 6443, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

arm5.elf New Fork (PID: 6494, Parent: 6441)

sh (PID: 6494, Parent: 6441, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

sh New Fork (PID: 6499, Parent: 6494)

busybox (PID: 6499, Parent: 6494, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: /bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

arm5.elf New Fork (PID: 6500, Parent: 6441)

sh (PID: 6500, Parent: 6441, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

sh New Fork (PID: 6505, Parent: 6500)

arm5.elf New Fork (PID: 6506, Parent: 6441)

sh (PID: 6506, Parent: 6441, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

sh New Fork (PID: 6513, Parent: 6506)

arm5.elf New Fork (PID: 6514, Parent: 6441)

sh (PID: 6514, Parent: 6441, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"

sh New Fork (PID: 6516, Parent: 6514)

busybox (PID: 6516, Parent: 6514, MD5: 70584dffe9cb0309eb22ba78aa54bcdc) Arguments: busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

xfce4-panel New Fork (PID: 6254, Parent: 2063)

wrapper-2.0 (PID: 6254, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

xfce4-panel New Fork (PID: 6255, Parent: 2063)

wrapper-2.0 (PID: 6255, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

systemd New Fork (PID: 6256, Parent: 1)

upowerd (PID: 6256, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

xfce4-panel New Fork (PID: 6274, Parent: 2063)

wrapper-2.0 (PID: 6274, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

xfce4-panel New Fork (PID: 6297, Parent: 2063)

wrapper-2.0 (PID: 6297, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

xfce4-panel New Fork (PID: 6298, Parent: 2063)

wrapper-2.0 (PID: 6298, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

xfce4-panel New Fork (PID: 6299, Parent: 2063)

wrapper-2.0 (PID: 6299, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

systemd New Fork (PID: 6304, Parent: 1)

upowerd (PID: 6304, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

systemd New Fork (PID: 6351, Parent: 1)

upowerd (PID: 6351, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

systemd New Fork (PID: 6396, Parent: 1)

upowerd (PID: 6396, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

systemd New Fork (PID: 6450, Parent: 1)

upowerd (PID: 6450, Parent: 1, MD5: 1253eea2fe5fe4017069664284e326cd) Arguments: /usr/lib/upower/upowerd

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6224.1.00007ff478017000.00007ff478038000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: arm5.elf

ReversingLabs: Detection: 28%

Networking

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 6449)

Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.23:57758 -> 83.222.191.146:2222

Source: /bin/sh (PID: 6449)

Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Source: /tmp/arm5.elf (PID: 6224)	Socket: 127.0.0.1:8345			Jump to behavior
Source: /tmp/arm5.elf (PID: 6441)	Socket: 0.0.0.0:26721			Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: arm5.elf

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 799, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1463, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1465, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1599, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1890, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2018, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2077, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2078, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2079, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2080, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2083, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2084, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2156, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2235, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 3236, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6254, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6255, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6256, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6274, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6297, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6298, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6299, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6304, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6351, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6396, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6450, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6491, result: successful	Jump to behavior

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 789, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 799, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1389, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1463, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1465, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1599, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1809, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1888, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 1890, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2018, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2077, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2078, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2079, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2080, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2083, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2084, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2156, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 2235, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 3236, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6254, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6255, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6256, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6274, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6297, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6298, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6299, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6304, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6351, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6396, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6450, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 6229)	SIGKILL sent: pid: 6491, result: successful	Jump to behavior

Source: classification engine

Classification label: mal68.spre.troj.evad.linELF@0/0@24/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 6449)

Iptables executable using switch for changing the iptables rules: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Source: /usr/lib/upower/upowerd (PID: 6304)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6304)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6351)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6351)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6396)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6396)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6450)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 6450)	Directory: <invalid fd (11)>/..	Jump to behavior

Source: /tmp/arm5.elf (PID: 6443)	Shell command executed: sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/arm5.elf (PID: 6494)	Shell command executed: sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/arm5.elf (PID: 6500)	Shell command executed: sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/arm5.elf (PID: 6506)	Shell command executed: sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior
Source: /tmp/arm5.elf (PID: 6514)	Shell command executed: sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"	Jump to behavior

Source: /bin/sh (PID: 6449)

Iptables executable: /usr/sbin/iptables -> iptables -A INPUT -p tcp --dport 26721 -j ACCEPT

Jump to behavior

Source: arm5.elf

Submission file: segment LOAD with 7.9834 entropy (max. 8.0)

Source: /tmp/arm5.elf (PID: 6224)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/busybox (PID: 6499)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/busybox (PID: 6516)	Queries kernel information via 'uname':	Jump to behavior

Source: arm5.elf, 6224.1.00005652c259d000.00005652c27ae000.rw-.sdmp	Binary or memory string: RV!/etc/qemu-binfmt/arm
Source: arm5.elf, 6224.1.00005652c259d000.00005652c27ae000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5.elf, 6224.1.00007ffded846000.00007ffded867000.rw-.sdmp	Binary or memory string: /5x86_64/usr/bin/qemu-arm/tmp/arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.elf
Source: arm5.elf, 6224.1.00007ffded846000.00007ffded867000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match

File source: 6224.1.00007ff478017000.00007ff478038000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match

File source: 6224.1.00007ff478017000.00007ff478038000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Obfuscated Files or Information	LSASS Memory	1 System Network Configuration Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5.elf	29%	ReversingLabs	Linux.Trojan.Svirtu

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.146	true	false		high
SECURE-NETWORK-REBIRTHLTD.RU	83.222.191.146	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	arm5.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
83.222.191.146	secure-network-rebirthltd.ru	Bulgaria	43561	NET1-ASBG	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83.222.191.146	mpsl.elf	Get hash	malicious	Gafgyt	Browse
	arm4.elf	Get hash	malicious	Gafgyt	Browse
	mips.elf	Get hash	malicious	Gafgyt	Browse
	arm4.elf	Get hash	malicious	Gafgyt	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Gafgyt	Browse
	arm5.elf	Get hash	malicious	Gafgyt	Browse
	mpsl.elf	Get hash	malicious	Gafgyt	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	arm6.elf	Get hash	malicious	Gafgyt	Browse
	arm4.elf	Get hash	malicious	Gafgyt	Browse
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse
	yakuza.sparc.elf	Get hash	malicious	Mirai	Browse
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse
	yakuza.mipsel.elf	Get hash	malicious	Mirai	Browse
	yakuza.arm7.elf	Get hash	malicious	Mirai	Browse
	yakuza.ppc.elf	Get hash	malicious	Mirai	Browse
	most-mips.elf	Get hash	malicious	Mirai	Browse
	most-mpsl.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	arm6.elf	Get hash	malicious	Gafgyt	Browse
	arm4.elf	Get hash	malicious	Gafgyt	Browse
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse
	yakuza.sparc.elf	Get hash	malicious	Mirai	Browse
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse
	yakuza.mipsel.elf	Get hash	malicious	Mirai	Browse
	yakuza.arm7.elf	Get hash	malicious	Mirai	Browse
	yakuza.ppc.elf	Get hash	malicious	Mirai	Browse
	most-mips.elf	Get hash	malicious	Mirai	Browse
	most-mpsl.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	mips.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
SECURE-NETWORK-REBIRTHLTD.RU	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	mips.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	yakuza.m68k.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	yakuza.i586.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	arm6.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	arm4.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.sparc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.mipsel.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
CANONICAL-ASGB	yakuza.m68k.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	yakuza.i586.elf	Get hash	malicious	Mirai	Browse	185.125.190.26
	arm6.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	arm4.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.sparc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.mipsel.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	yakuza.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
INIT7CH	arm6.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	arm4.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	yakuza.sh.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	yakuza.sparc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	yakuza.mipsel.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	yakuza.arm7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	yakuza.ppc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	most-mips.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	most-mpsl.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
NET1-ASBG	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	mips.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	x86_64.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm5.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	putty.exe	Get hash	malicious	SmokeLoader	Browse	94.156.177.51
	#U041f#U043b#U0430#U0442i#U0436#U043d#U0430 i#U043d#U0441#U0442#U0440#U0443#U043a#U0446i#U044f.vbs	Get hash	malicious	SmokeLoader	Browse	94.156.177.51

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
Entropy (8bit):	7.982313409679076
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5.elf
File size:	56'636 bytes
MD5:	95807db3d7d48c3c8c954410cba6c6f2
SHA1:	7a4c83cf4ab4b08989d193dd33e708b47c877605
SHA256:	59421e1184689e49ed4ad0fb4c9573d7dcb1cabd338ac6c816e17980776925bd
SHA512:	08cb1669fee964512ec55ac93a9257f6078474cbdcf9097c432d004eb740c2bac309519892895f6c774cc93a8f75b53c7ce3a1597d86c137d288f82bcb5d5949
SSDEEP:	1536:BDJEBCvNlFeWiFpi8osiSMlkvN/L6V1M2ozM:BiBweApS7ioI
TLSH:	454302B0E5078696C640623E2E2D45D2BD7D877043DA39FB66B41F65CEE173118F834A
File Content Preview:	.ELF...a..........(......J..4...........4. ...(.....................7...7...............D...D...D...................Q.td................................UPX!.........Z...Z......S..........?.E.h;.}...^..........e..Xcz=.....y.....W...8..Q..le....v.B.7W(z.rX.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x14a88
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0xdc37	0xdc37	7.9834	0x5	R E	0x8000
LOAD	0x1f44	0x39f44	0x39f44	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 14:51:47.576316118 CET	43928	443	192.168.2.23	91.189.91.42
Dec 28, 2024 14:51:52.951566935 CET	42836	443	192.168.2.23	91.189.91.43
Dec 28, 2024 14:51:53.221429110 CET	57758	2222	192.168.2.23	83.222.191.146
Dec 28, 2024 14:51:53.341065884 CET	2222	57758	83.222.191.146	192.168.2.23
Dec 28, 2024 14:51:53.341136932 CET	57758	2222	192.168.2.23	83.222.191.146
Dec 28, 2024 14:51:53.341965914 CET	57758	2222	192.168.2.23	83.222.191.146
Dec 28, 2024 14:51:53.342020988 CET	57758	2222	192.168.2.23	83.222.191.146
Dec 28, 2024 14:51:53.461452007 CET	2222	57758	83.222.191.146	192.168.2.23
Dec 28, 2024 14:51:53.506536961 CET	2222	57758	83.222.191.146	192.168.2.23
Dec 28, 2024 14:51:54.743338108 CET	42516	80	192.168.2.23	109.202.202.202
Dec 28, 2024 14:51:55.616542101 CET	2222	57758	83.222.191.146	192.168.2.23
Dec 28, 2024 14:51:55.616647005 CET	57758	2222	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:09.333343029 CET	43928	443	192.168.2.23	91.189.91.42
Dec 28, 2024 14:52:17.686132908 CET	52622	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:17.805789948 CET	35342	52622	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:17.805973053 CET	52622	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:17.806919098 CET	52622	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:17.926330090 CET	35342	52622	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:17.926619053 CET	52622	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:18.046171904 CET	35342	52622	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:19.152796984 CET	35342	52622	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:19.153192997 CET	52622	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:19.272691965 CET	35342	52622	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:19.571935892 CET	42836	443	192.168.2.23	91.189.91.43
Dec 28, 2024 14:52:20.396545887 CET	52624	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:20.516155958 CET	35342	52624	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:20.516244888 CET	52624	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:20.516293049 CET	52624	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:20.637809992 CET	35342	52624	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:20.637881994 CET	52624	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:20.757379055 CET	35342	52624	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:21.865536928 CET	35342	52624	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:21.865736961 CET	52624	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:21.985346079 CET	35342	52624	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:25.715327024 CET	42516	80	192.168.2.23	109.202.202.202
Dec 28, 2024 14:52:47.893713951 CET	52626	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:48.013358116 CET	35342	52626	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:48.013504028 CET	52626	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:48.013611078 CET	52626	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:48.133208036 CET	35342	52626	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:48.133363962 CET	52626	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:48.253123045 CET	35342	52626	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:49.360627890 CET	35342	52626	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:49.361021996 CET	52626	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:49.480609894 CET	35342	52626	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:50.287763119 CET	43928	443	192.168.2.23	91.189.91.42
Dec 28, 2024 14:52:50.602696896 CET	52628	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:50.722152948 CET	35342	52628	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:50.722239971 CET	52628	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:50.722376108 CET	52628	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:50.841902018 CET	35342	52628	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:50.841975927 CET	52628	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:50.962241888 CET	35342	52628	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:52.069008112 CET	35342	52628	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:52.069152117 CET	52628	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:52.188708067 CET	35342	52628	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:53.528285980 CET	52630	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:53.647952080 CET	35342	52630	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:53.648191929 CET	52630	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:53.648309946 CET	52630	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:53.767800093 CET	35342	52630	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:53.767908096 CET	52630	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:53.887506008 CET	35342	52630	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:55.157991886 CET	35342	52630	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:55.158246994 CET	52630	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:55.277853966 CET	35342	52630	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:56.159662962 CET	52632	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:56.279395103 CET	35342	52632	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:56.279508114 CET	52632	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:56.279664993 CET	52632	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:56.399127007 CET	35342	52632	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:56.399283886 CET	52632	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:56.518904924 CET	35342	52632	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:57.672429085 CET	35342	52632	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:57.672817945 CET	52632	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:57.792463064 CET	35342	52632	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:58.905334949 CET	52634	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:59.024854898 CET	35342	52634	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:59.025060892 CET	52634	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:59.025171041 CET	52634	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:59.144635916 CET	35342	52634	83.222.191.146	192.168.2.23
Dec 28, 2024 14:52:59.144793987 CET	52634	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:52:59.264889956 CET	35342	52634	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:00.797041893 CET	35342	52634	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:00.797621012 CET	35342	52634	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:00.797669888 CET	52634	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:00.797669888 CET	52634	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:00.917614937 CET	35342	52634	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:26.824089050 CET	52636	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:26.943690062 CET	35342	52636	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:26.943871021 CET	52636	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:26.943871021 CET	52636	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:27.064090967 CET	35342	52636	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:27.064254045 CET	52636	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:27.183773994 CET	35342	52636	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:28.244671106 CET	35342	52636	83.222.191.146	192.168.2.23
Dec 28, 2024 14:53:28.244986057 CET	52636	35342	192.168.2.23	83.222.191.146
Dec 28, 2024 14:53:28.364612103 CET	35342	52636	83.222.191.146	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 14:51:52.662635088 CET	36077	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:51:57.667896986 CET	50584	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:52:02.672852039 CET	39676	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:52:07.674695969 CET	48257	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:52:12.680382967 CET	43425	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:52:20.155383110 CET	37658	53	192.168.2.23	81.169.136.222
Dec 28, 2024 14:52:20.395553112 CET	53	37658	81.169.136.222	192.168.2.23
Dec 28, 2024 14:52:22.867630005 CET	48722	53	192.168.2.23	178.254.22.166
Dec 28, 2024 14:52:27.873584986 CET	41413	53	192.168.2.23	178.254.22.166
Dec 28, 2024 14:52:32.876805067 CET	44019	53	192.168.2.23	178.254.22.166
Dec 28, 2024 14:52:37.882666111 CET	60478	53	192.168.2.23	178.254.22.166
Dec 28, 2024 14:52:42.888849020 CET	60719	53	192.168.2.23	178.254.22.166
Dec 28, 2024 14:52:50.363451004 CET	44159	53	192.168.2.23	81.169.136.222
Dec 28, 2024 14:52:50.601871967 CET	53	44159	81.169.136.222	192.168.2.23
Dec 28, 2024 14:52:53.070926905 CET	56254	53	192.168.2.23	185.181.61.24
Dec 28, 2024 14:52:53.527690887 CET	53	56254	185.181.61.24	192.168.2.23
Dec 28, 2024 14:52:58.675152063 CET	43874	53	192.168.2.23	195.10.195.195
Dec 28, 2024 14:52:58.904328108 CET	53	43874	195.10.195.195	192.168.2.23
Dec 28, 2024 14:53:01.799966097 CET	42683	53	192.168.2.23	134.195.4.2
Dec 28, 2024 14:53:06.805299997 CET	48581	53	192.168.2.23	134.195.4.2
Dec 28, 2024 14:53:11.811213970 CET	56384	53	192.168.2.23	134.195.4.2
Dec 28, 2024 14:53:16.812797070 CET	58468	53	192.168.2.23	134.195.4.2
Dec 28, 2024 14:53:21.819068909 CET	60733	53	192.168.2.23	134.195.4.2
Dec 28, 2024 14:53:29.246901035 CET	35170	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:53:34.250544071 CET	60281	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:53:39.256169081 CET	52589	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:53:44.262343884 CET	47271	53	192.168.2.23	51.254.162.59
Dec 28, 2024 14:53:49.267537117 CET	58320	53	192.168.2.23	51.254.162.59

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 14:51:52.662635088 CET	192.168.2.23	51.254.162.59	0xe72e	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:51:57.667896986 CET	192.168.2.23	51.254.162.59	0xe72e	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:02.672852039 CET	192.168.2.23	51.254.162.59	0xe72e	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:07.674695969 CET	192.168.2.23	51.254.162.59	0xe72e	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:12.680382967 CET	192.168.2.23	51.254.162.59	0xe72e	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:20.155383110 CET	192.168.2.23	81.169.136.222	0xf7fd	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:22.867630005 CET	192.168.2.23	178.254.22.166	0xf1d6	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:27.873584986 CET	192.168.2.23	178.254.22.166	0xf1d6	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:32.876805067 CET	192.168.2.23	178.254.22.166	0xf1d6	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:37.882666111 CET	192.168.2.23	178.254.22.166	0xf1d6	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:42.888849020 CET	192.168.2.23	178.254.22.166	0xf1d6	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:50.363451004 CET	192.168.2.23	81.169.136.222	0xd306	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:53.070926905 CET	192.168.2.23	185.181.61.24	0x2157	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:58.675152063 CET	192.168.2.23	195.10.195.195	0x1aa1	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:01.799966097 CET	192.168.2.23	134.195.4.2	0xb91	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:06.805299997 CET	192.168.2.23	134.195.4.2	0xb91	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:11.811213970 CET	192.168.2.23	134.195.4.2	0xb91	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:16.812797070 CET	192.168.2.23	134.195.4.2	0xb91	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:21.819068909 CET	192.168.2.23	134.195.4.2	0xb91	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:29.246901035 CET	192.168.2.23	51.254.162.59	0xa0bc	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:34.250544071 CET	192.168.2.23	51.254.162.59	0xa0bc	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:39.256169081 CET	192.168.2.23	51.254.162.59	0xa0bc	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:44.262343884 CET	192.168.2.23	51.254.162.59	0xa0bc	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:53:49.267537117 CET	192.168.2.23	51.254.162.59	0xa0bc	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 14:52:20.395553112 CET	81.169.136.222	192.168.2.23	0xf7fd	No error (0)	SECURE-NETWORK-REBIRTHLTD.RU	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:50.601871967 CET	81.169.136.222	192.168.2.23	0xd306	No error (0)	SECURE-NETWORK-REBIRTHLTD.RU	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:53.527690887 CET	185.181.61.24	192.168.2.23	0x2157	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 14:52:58.904328108 CET	195.10.195.195	192.168.2.23	0x1aa1	No error (0)	SECURE-NETWORK-REBIRTHLTD.RU	83.222.191.146	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm5.elf PID: 6224, Parent PID: 6139

General

Start time (UTC):	13:51:46
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	/tmp/arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 6227, Parent PID: 6224

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 6229, Parent PID: 6227

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 6441, Parent PID: 6227

General

Start time (UTC):	13:51:51
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 6443, Parent PID: 6441

General

Start time (UTC):	13:51:51
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 6443, Parent PID: 6441

General

Start time (UTC):	13:51:51
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	sh -c "iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6449, Parent PID: 6443

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: iptables PID: 6449, Parent PID: 6443

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/usr/sbin/iptables
Arguments:	iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

Chronological Activities

Analysis Process: arm5.elf PID: 6494, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 6494, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	sh -c "/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6499, Parent PID: 6494

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: busybox PID: 6499, Parent PID: 6494

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/busybox
Arguments:	/bin/busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
File size:	2172376 bytes
MD5 hash:	70584dffe9cb0309eb22ba78aa54bcdc

Chronological Activities

Analysis Process: arm5.elf PID: 6500, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 6500, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	sh -c "/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6505, Parent PID: 6500

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: arm5.elf PID: 6506, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 6506, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	sh -c "/usr/bin/iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6513, Parent PID: 6506

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: arm5.elf PID: 6514, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 6514, Parent PID: 6441

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	sh -c "busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6516, Parent PID: 6514

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: busybox PID: 6516, Parent PID: 6514

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/usr/bin/busybox
Arguments:	busybox iptables -A INPUT -p tcp --dport 26721 -j ACCEPT
File size:	2172376 bytes
MD5 hash:	70584dffe9cb0309eb22ba78aa54bcdc

Chronological Activities

Analysis Process: xfce4-panel PID: 6254, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 6254, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 6255, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 6255, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: systemd PID: 6256, Parent PID: 1

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 6256, Parent PID: 1

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Chronological Activities

Analysis Process: xfce4-panel PID: 6274, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 6274, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 6297, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 6297, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 6298, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 6298, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 6299, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 6299, Parent PID: 2063

General

Start time (UTC):	13:51:47
Start date (UTC):	28/12/2024
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: systemd PID: 6304, Parent PID: 1

General

Start time (UTC):	13:51:48
Start date (UTC):	28/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 6304, Parent PID: 1

General

Start time (UTC):	13:51:48
Start date (UTC):	28/12/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Chronological Activities

Analysis Process: systemd PID: 6351, Parent PID: 1

General

Start time (UTC):	13:51:49
Start date (UTC):	28/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 6351, Parent PID: 1

General

Start time (UTC):	13:51:49
Start date (UTC):	28/12/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Chronological Activities

Analysis Process: systemd PID: 6396, Parent PID: 1

General

Start time (UTC):	13:51:50
Start date (UTC):	28/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 6396, Parent PID: 1

General

Start time (UTC):	13:51:50
Start date (UTC):	28/12/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Chronological Activities

Analysis Process: systemd PID: 6450, Parent PID: 1

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: upowerd PID: 6450, Parent PID: 1

General

Start time (UTC):	13:51:52
Start date (UTC):	28/12/2024
Path:	/usr/lib/upower/upowerd
Arguments:	/usr/lib/upower/upowerd
File size:	260328 bytes
MD5 hash:	1253eea2fe5fe4017069664284e326cd

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm5.elf PID: 6224, Parent PID: 6139

General

Chronological Activities

Analysis Process: arm5.elf PID: 6227, Parent PID: 6224

General

Chronological Activities

Analysis Process: arm5.elf PID: 6229, Parent PID: 6227

General

Chronological Activities

Analysis Process: arm5.elf PID: 6441, Parent PID: 6227

General

Chronological Activities

Analysis Process: arm5.elf PID: 6443, Parent PID: 6441

General

Chronological Activities

Linux Analysis Report
arm5.elf