Edit tour

Linux Analysis Report
arm4.elf

Overview

General Information

Sample name:	arm4.elf
Analysis ID:	1581778
MD5:	ab479fa1c0376dbb999f6b4a4fd3a26e
SHA1:	eda130217213b9c1d92b9e400d5279d13d85c2e3
SHA256:	1a742066ad19b17d888000e4afc3ae71232c46846604f2ef9385d92a45c7908e
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581778
Start date and time:	2024-12-28 23:57:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm4.elf
Detection:	MAL
Classification:	mal56.linELF@0/0@16/0

Warnings

VT rate limit hit for: arm4.elf

Runtime Messages

Command:	/tmp/arm4.elf
PID:	5490
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	have onna deez nutz
Standard Error:

Process Tree

system is lnxubuntu20

arm4.elf (PID: 5490, Parent: 5416, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm4.elf

arm4.elf New Fork (PID: 5492, Parent: 5490)

arm4.elf New Fork (PID: 5494, Parent: 5492)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm4.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm4.elf

ReversingLabs: Detection: 29%

Source: global traffic

TCP traffic: 192.168.2.14:44288 -> 83.222.191.146:33211

Source: /tmp/arm4.elf (PID: 5490)

Socket: 127.0.0.1:8345

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: secure-network-rebirthltd.ru

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.linELF@0/0@16/0

Source: /tmp/arm4.elf (PID: 5490)

Queries kernel information via 'uname':

Jump to behavior

Source: arm4.elf, 5490.1.00007fff92d3b000.00007fff92d5c000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm4.elf
Source: arm4.elf, 5490.1.0000559681235000.00005596813aa000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm4.elf, 5490.1.0000559681235000.00005596813aa000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm4.elf, 5490.1.00007fff92d3b000.00007fff92d5c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm4.elf	30%	ReversingLabs	Linux.Backdoor.Mirai
arm4.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
secure-network-rebirthltd.ru	83.222.191.146	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
83.222.191.146	secure-network-rebirthltd.ru	Bulgaria		43561	NET1-ASBG	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
83.222.191.146	dlr.arm6.elf	Get hash	malicious	Gafgyt	Browse	/binaries/arm6
	dlr.mpsl.elf	Get hash	malicious	Gafgyt	Browse	/binaries/mpsl
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	/binaries/arm7
	dlr.mips.elf	Get hash	malicious	Gafgyt	Browse	/binaries/mips

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
secure-network-rebirthltd.ru	arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.146
	spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	x86_64.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm4.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm5.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mips.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	arm7.elf	Get hash	malicious	Mirai	Browse	83.222.191.146
	spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	mips.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	x86_64.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	dlr.arm6.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	dlr.mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	dlr.mips.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	mpsl.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.018411887634166
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm4.elf
File size:	58'536 bytes
MD5:	ab479fa1c0376dbb999f6b4a4fd3a26e
SHA1:	eda130217213b9c1d92b9e400d5279d13d85c2e3
SHA256:	1a742066ad19b17d888000e4afc3ae71232c46846604f2ef9385d92a45c7908e
SHA512:	85686238ea6dbc5f4a6e5e8e5b75be224f02d4ab9963e2d2ec0e48df531a49f58e52a2a12bf0e0b46a54d711af1f8eb5cd8dccc017f5488772cf2881403700e3
SSDEEP:	768:MJucChlzHaDkAWKGKs8an9J2fv1cKzW21NuCi0TCGcwvMxdZUQUscTrjVdzMvPIf:hcAlzHWs8UJ2fv1tO2hAxBcTffMvP
TLSH:	D0432981BD819A13C6D412BBFB2E428D332753B8D2EB3306DD265F11778692B0EB7651
File Content Preview:	.ELF...a..........(.........4...........4. ...(.....................`...`...............................8$..........Q.td..................................-...L."....2..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	58136
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xca80	0x0	0x6	AX	16
.fini	PROGBITS	0x14b30	0xcb30	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x14b44	0xcb44	0x111c	0x0	0x2	A	4
.ctors	PROGBITS	0x1e000	0xe000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1e008	0xe008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1e014	0xe014	0x2c4	0x0	0x3	WA	4
.bss	NOBITS	0x1e2d8	0xe2d8	0x2160	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xe2d8	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xdc60	0xdc60	6.1184	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0xe000	0x1e000	0x1e000	0x2d8	0x2438	1.5965	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 23:57:58.285939932 CET	44288	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:57:58.405467033 CET	33211	44288	83.222.191.146	192.168.2.14
Dec 28, 2024 23:57:58.405540943 CET	44288	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:57:58.406622887 CET	44288	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:57:58.526063919 CET	33211	44288	83.222.191.146	192.168.2.14
Dec 28, 2024 23:57:58.526112080 CET	44288	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:57:58.645622969 CET	33211	44288	83.222.191.146	192.168.2.14
Dec 28, 2024 23:57:59.705020905 CET	33211	44288	83.222.191.146	192.168.2.14
Dec 28, 2024 23:57:59.705095053 CET	44288	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:57:59.705271006 CET	44288	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:00.946590900 CET	44290	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:01.066131115 CET	33211	44290	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:01.066190958 CET	44290	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:01.067176104 CET	44290	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:01.186619043 CET	33211	44290	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:01.186691999 CET	44290	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:01.306273937 CET	33211	44290	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:02.412105083 CET	33211	44290	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:02.412311077 CET	44290	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:02.412374020 CET	44290	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:03.775454044 CET	44292	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:03.895035028 CET	33211	44292	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:03.895088911 CET	44292	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:03.896245003 CET	44292	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:04.015711069 CET	33211	44292	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:04.015763044 CET	44292	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:04.135189056 CET	33211	44292	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:05.242036104 CET	33211	44292	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:05.242116928 CET	44292	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:05.242168903 CET	44292	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:06.645320892 CET	44294	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:06.764867067 CET	33211	44294	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:06.765038967 CET	44294	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:06.766136885 CET	44294	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:06.885618925 CET	33211	44294	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:06.885720015 CET	44294	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:07.005302906 CET	33211	44294	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:08.118277073 CET	33211	44294	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:08.118319988 CET	44294	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:08.118355989 CET	44294	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:09.362596989 CET	44296	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:09.482120037 CET	33211	44296	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:09.482235909 CET	44296	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:09.483891010 CET	44296	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:09.603370905 CET	33211	44296	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:09.603620052 CET	44296	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:09.723130941 CET	33211	44296	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:10.829698086 CET	33211	44296	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:10.829989910 CET	44296	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:10.829989910 CET	44296	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:12.073456049 CET	44298	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:12.192986965 CET	33211	44298	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:12.193120956 CET	44298	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:12.194699049 CET	44298	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:12.314142942 CET	33211	44298	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:12.314343929 CET	44298	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:12.433866024 CET	33211	44298	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:13.585958004 CET	33211	44298	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:13.586221933 CET	44298	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:13.586349964 CET	44298	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:14.723928928 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:14.843394041 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:14.843545914 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:14.844988108 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:14.964378119 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:14.964551926 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:15.084027052 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:23.278785944 CET	44302	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:23.398485899 CET	33211	44302	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:23.398545027 CET	44302	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:23.399610043 CET	44302	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:23.519000053 CET	33211	44302	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:23.519128084 CET	44302	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:23.639931917 CET	33211	44302	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:24.744910002 CET	33211	44302	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:24.745541096 CET	44302	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:24.746043921 CET	44302	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:24.855098009 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:24.974658012 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:25.285626888 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:25.285753012 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:25.883271933 CET	44304	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:26.002785921 CET	33211	44304	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:26.002921104 CET	44304	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:26.004014969 CET	44304	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:26.123455048 CET	33211	44304	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:26.123692989 CET	44304	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:26.243256092 CET	33211	44304	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:27.349104881 CET	33211	44304	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:27.349204063 CET	44304	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:27.349435091 CET	44304	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:28.486778975 CET	44306	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:28.606288910 CET	33211	44306	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:28.606539011 CET	44306	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:28.608078957 CET	44306	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:28.727514029 CET	33211	44306	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:28.727727890 CET	44306	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:28.847147942 CET	33211	44306	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:29.952419996 CET	33211	44306	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:29.952697992 CET	44306	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:29.952805996 CET	44306	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:31.091110945 CET	44308	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:31.210686922 CET	33211	44308	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:31.210844994 CET	44308	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:31.212369919 CET	44308	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:31.332077026 CET	33211	44308	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:31.332317114 CET	44308	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:31.451920033 CET	33211	44308	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:32.557264090 CET	33211	44308	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:32.557532072 CET	44308	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:32.557642937 CET	44308	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:33.695632935 CET	44310	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:33.815220118 CET	33211	44310	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:33.815476894 CET	44310	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:33.816847086 CET	44310	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:33.936465025 CET	33211	44310	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:33.936681986 CET	44310	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:34.056191921 CET	33211	44310	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:35.207765102 CET	33211	44310	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:35.207911015 CET	44310	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:35.208045006 CET	44310	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:36.345139027 CET	44312	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:36.464685917 CET	33211	44312	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:36.464761972 CET	44312	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:36.466133118 CET	44312	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:36.585659981 CET	33211	44312	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:36.585728884 CET	44312	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:36.705221891 CET	33211	44312	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:37.810715914 CET	33211	44312	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:37.810810089 CET	44312	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:37.811047077 CET	44312	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:38.947325945 CET	44314	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:39.067367077 CET	33211	44314	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:39.067544937 CET	44314	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:39.068367004 CET	44314	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:39.187830925 CET	33211	44314	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:39.188008070 CET	44314	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:39.307512999 CET	33211	44314	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:40.460330963 CET	33211	44314	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:40.460573912 CET	44314	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:40.460644007 CET	44314	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:41.598557949 CET	44316	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:41.718250990 CET	33211	44316	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:41.718363047 CET	44316	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:41.719434977 CET	44316	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:41.838854074 CET	33211	44316	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:41.839060068 CET	44316	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:41.958681107 CET	33211	44316	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:43.064481974 CET	33211	44316	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:43.064717054 CET	44316	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:43.064717054 CET	44316	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:44.322927952 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:44.442554951 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:44.442670107 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:44.443403959 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:44.562882900 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:44.562961102 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:44.682552099 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:54.453648090 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:58:54.573165894 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:54.884885073 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:58:54.885081053 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:59:25.324899912 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:59:25.444586992 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:59:25.755611897 CET	33211	44300	83.222.191.146	192.168.2.14
Dec 28, 2024 23:59:25.755779028 CET	44300	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:59:54.936139107 CET	44318	33211	192.168.2.14	83.222.191.146
Dec 28, 2024 23:59:55.055740118 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:59:55.366791964 CET	33211	44318	83.222.191.146	192.168.2.14
Dec 28, 2024 23:59:55.366918087 CET	44318	33211	192.168.2.14	83.222.191.146

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 23:57:58.046220064 CET	39944	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:57:58.284998894 CET	53	39944	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:00.707727909 CET	49120	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:00.945952892 CET	53	49120	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:03.414474964 CET	59699	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:03.774666071 CET	53	59699	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:06.244779110 CET	60320	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:06.644361973 CET	53	60320	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:09.122040987 CET	46641	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:09.361624002 CET	53	46641	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:11.833215952 CET	45583	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:12.072446108 CET	53	45583	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:14.589507103 CET	42907	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:14.723131895 CET	53	42907	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:23.144079924 CET	56549	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:23.277877092 CET	53	56549	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:25.748544931 CET	49554	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:25.882397890 CET	53	49554	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:28.352205038 CET	51355	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:28.485903978 CET	53	51355	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:30.955861092 CET	58298	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:31.090040922 CET	53	58298	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:33.560578108 CET	46390	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:33.694757938 CET	53	46390	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:36.210731983 CET	55016	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:36.344449043 CET	53	55016	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:38.813040972 CET	49137	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:38.946942091 CET	53	49137	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:41.463128090 CET	41171	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:41.597775936 CET	53	41171	8.8.8.8	192.168.2.14
Dec 28, 2024 23:58:44.066714048 CET	44315	53	192.168.2.14	8.8.8.8
Dec 28, 2024 23:58:44.322448015 CET	53	44315	8.8.8.8	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 23:57:58.046220064 CET	192.168.2.14	8.8.8.8	0xacf2	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:00.707727909 CET	192.168.2.14	8.8.8.8	0xbac4	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:03.414474964 CET	192.168.2.14	8.8.8.8	0xbb99	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:06.244779110 CET	192.168.2.14	8.8.8.8	0xadda	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:09.122040987 CET	192.168.2.14	8.8.8.8	0x3426	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:11.833215952 CET	192.168.2.14	8.8.8.8	0x4b64	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:14.589507103 CET	192.168.2.14	8.8.8.8	0x8754	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:23.144079924 CET	192.168.2.14	8.8.8.8	0xacf2	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:25.748544931 CET	192.168.2.14	8.8.8.8	0xbac4	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:28.352205038 CET	192.168.2.14	8.8.8.8	0xbb99	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:30.955861092 CET	192.168.2.14	8.8.8.8	0xadda	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:33.560578108 CET	192.168.2.14	8.8.8.8	0x3426	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:36.210731983 CET	192.168.2.14	8.8.8.8	0x4b64	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:38.813040972 CET	192.168.2.14	8.8.8.8	0x8754	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:41.463128090 CET	192.168.2.14	8.8.8.8	0x6b5f	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:44.066714048 CET	192.168.2.14	8.8.8.8	0x4c11	Standard query (0)	secure-network-rebirthltd.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 23:57:58.284998894 CET	8.8.8.8	192.168.2.14	0xacf2	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:00.945952892 CET	8.8.8.8	192.168.2.14	0xbac4	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:03.774666071 CET	8.8.8.8	192.168.2.14	0xbb99	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:06.644361973 CET	8.8.8.8	192.168.2.14	0xadda	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:09.361624002 CET	8.8.8.8	192.168.2.14	0x3426	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:12.072446108 CET	8.8.8.8	192.168.2.14	0x4b64	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:14.723131895 CET	8.8.8.8	192.168.2.14	0x8754	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:23.277877092 CET	8.8.8.8	192.168.2.14	0xacf2	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:25.882397890 CET	8.8.8.8	192.168.2.14	0xbac4	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:28.485903978 CET	8.8.8.8	192.168.2.14	0xbb99	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:31.090040922 CET	8.8.8.8	192.168.2.14	0xadda	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:33.694757938 CET	8.8.8.8	192.168.2.14	0x3426	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:36.344449043 CET	8.8.8.8	192.168.2.14	0x4b64	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:38.946942091 CET	8.8.8.8	192.168.2.14	0x8754	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:41.597775936 CET	8.8.8.8	192.168.2.14	0x6b5f	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false
Dec 28, 2024 23:58:44.322448015 CET	8.8.8.8	192.168.2.14	0x4c11	No error (0)	secure-network-rebirthltd.ru	83.222.191.146	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm4.elf PID: 5490, Parent PID: 5416

General

Start time (UTC):	22:57:56
Start date (UTC):	28/12/2024
Path:	/tmp/arm4.elf
Arguments:	/tmp/arm4.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm4.elf PID: 5492, Parent PID: 5490

General

Start time (UTC):	22:57:56
Start date (UTC):	28/12/2024
Path:	/tmp/arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm4.elf PID: 5494, Parent PID: 5492

General

Start time (UTC):	22:57:56
Start date (UTC):	28/12/2024
Path:	/tmp/arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm4.elf PID: 5490, Parent PID: 5416

General

Chronological Activities

Analysis Process: arm4.elf PID: 5492, Parent PID: 5490

General

Chronological Activities

Analysis Process: arm4.elf PID: 5494, Parent PID: 5492

General

Chronological Activities

Linux Analysis Report
arm4.elf