Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
89.250.72.36-mipsel-2024-12-31T13_33_09.elf

Overview

General Information

Sample name:89.250.72.36-mipsel-2024-12-31T13_33_09.elf
Analysis ID:1582854
MD5:55cb568389694191bbbbb32b473596e4
SHA1:51e2020dd084e77c23b2b589464d4e2d88f85e02
SHA256:a0e5d48258b23d1d9ebbfd4f6aa02237041f861f4b9108f04aa34267756296d3
Tags:elfuser-threatquery
Infos:

Detection

Gafgyt
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Contains symbols with names commonly found in malware
Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)
Sample contains strings that are user agent strings indicative of HTTP manipulation
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1582854
Start date and time:2024-12-31 17:03:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 10m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:89.250.72.36-mipsel-2024-12-31T13_33_09.elf
Detection:MAL
Classification:mal76.troj.linELF@0/0@0/0
Cookbook Comments:
  • Analysis time extended to 480s due to sleep detection in submitted sample

Warnings

  • VT rate limit hit for: 89.250.72.36:666

Runtime Messages

Command:/tmp/89.250.72.36-mipsel-2024-12-31T13_33_09.elf
PID:6220
Exit Code:255
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/lib/ld.so.1: No such file or directory

Process Tree

  • system is lnxubuntu20
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
89.250.72.36-mipsel-2024-12-31T13_33_09.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    89.250.72.36-mipsel-2024-12-31T13_33_09.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x9ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9ef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9ff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa00c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa05c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa070:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    6220.1.00007fcce441a000.00007fcce441c000.rw-.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0xc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xe8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x110:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x124:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x138:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x14c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x160:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x174:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x188:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    6220.1.00007fcce4400000.00007fcce440b000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x9ee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9ef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9f94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9fe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x9ff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa00c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa05c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa070:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    Process Memory Space: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf PID: 6220Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x19af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x19ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a13:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a27:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a3b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a4f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a63:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a77:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a8b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1a9f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1ab3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1ac7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1adb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1aef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1b03:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1b17:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1b2b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1b3f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elfMalware Configuration Extractor: Gafgyt {"C2 url": "89.250.72.36:666"}
    Multi AV Scanner detection for submitted file
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elfVirustotal: Detection: 28%Perma Link
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elfReversingLabs: Detection: 27%
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
    Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6220.1.00007fcce441a000.00007fcce441c000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6220.1.00007fcce4400000.00007fcce440b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: Process Memory Space: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf PID: 6220, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Contains symbols with names commonly found in malware
    Source: ELF static info symbol of initial sampleName: vseattack
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6220.1.00007fcce441a000.00007fcce441c000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6220.1.00007fcce4400000.00007fcce440b000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: Process Memory Space: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf PID: 6220, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: classification engineClassification label: mal76.troj.linELF@0/0@0/0
    Source: ELF symbol in initial sampleSymbol name: sleep
    Source: ELF symbol in initial sampleSymbol name: usleep
    Source: /tmp/89.250.72.36-mipsel-2024-12-31T13_33_09.elf (PID: 6220)Queries kernel information via 'uname': Jump to behavior
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, 6220.1.00005559e4643000.00005559e46ca000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, 6220.1.00007ffd51abc000.00007ffd51add000.rw-.sdmpBinary or memory string: @x86_64/usr/bin/qemu-mipsel/tmp/89.250.72.36-mipsel-2024-12-31T13_33_09.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/89.250.72.36-mipsel-2024-12-31T13_33_09.elf
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, 6220.1.00005559e4643000.00005559e46ca000.rw-.sdmpBinary or memory string: YU!/etc/qemu-binfmt/mipsel
    Source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, 6220.1.00007ffd51abc000.00007ffd51add000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

    Stealing of Sensitive Information

    barindex
    Yara detected Gafgyt
    Source: Yara matchFile source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, type: SAMPLE
    Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
    Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
    Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
    Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
    Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
    Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

    Remote Access Functionality

    barindex
    Yara detected Gafgyt
    Source: Yara matchFile source: 89.250.72.36-mipsel-2024-12-31T13_33_09.elf, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    Virtualization/Sandbox Evasion    		OS Credential Dumping11
    Security Software Discovery    		Remote ServicesData from Local System1
    Data Obfuscation    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact

    Malware Configuration

    Threatname: Gafgyt

    {"C2 url": "89.250.72.36:666"}

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    89.250.72.36-mipsel-2024-12-31T13_33_09.elf29%VirustotalBrowse
    89.250.72.36-mipsel-2024-12-31T13_33_09.elf27%ReversingLabsLinux.Backdoor.Gafgyt

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    89.250.72.36:666true
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      109.202.202.202
      		unknownSwitzerland
      		13030INIT7CHfalse
      91.189.91.43
      		unknownUnited Kingdom
      		41231CANONICAL-ASGBfalse
      91.189.91.42
      		unknownUnited Kingdom
      		41231CANONICAL-ASGBfalse

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
      • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
      91.189.91.43Aqua.arm7.elfGet hashmaliciousMiraiBrowse
        mpsl.elfGet hashmaliciousUnknownBrowse
          Aqua.i686.elfGet hashmaliciousUnknownBrowse
            Aqua.arm6.elfGet hashmaliciousUnknownBrowse
              boatnet.arc.elfGet hashmaliciousMiraiBrowse
                boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                    Aqua.sh4.elfGet hashmaliciousUnknownBrowse
                      Aqua.mips.elfGet hashmaliciousUnknownBrowse
                        boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                          91.189.91.42Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                            mpsl.elfGet hashmaliciousUnknownBrowse
                              Aqua.i686.elfGet hashmaliciousUnknownBrowse
                                Aqua.arm6.elfGet hashmaliciousUnknownBrowse
                                  boatnet.arc.elfGet hashmaliciousMiraiBrowse
                                    boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                      boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                        Aqua.sh4.elfGet hashmaliciousUnknownBrowse
                                          Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                            boatnet.arm7.elfGet hashmaliciousMiraiBrowse

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CANONICAL-ASGBboatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 185.125.190.26
                                              Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              mpsl.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              Aqua.i686.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              Aqua.arm6.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              boatnet.arc.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 185.125.190.26
                                              boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              Aqua.sh4.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              CANONICAL-ASGBboatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 185.125.190.26
                                              Aqua.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              mpsl.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              Aqua.i686.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              Aqua.arm6.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              boatnet.arc.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 185.125.190.26
                                              boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              Aqua.sh4.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              INIT7CHAqua.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202
                                              mpsl.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              Aqua.i686.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              Aqua.arm6.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              boatnet.arc.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202
                                              boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202
                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202
                                              Aqua.sh4.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              Aqua.mips.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              No created / dropped files found

                                              Static File Info

                                              General

                                              File type:ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld.so.1, BuildID[sha1]=79d58b127081c19d7a1f18c71191c2e7e59894e7, for GNU/Linux 3.2.0, not stripped
                                              Entropy (8bit):5.134386105016623
                                              TrID:
                                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                              File name:89.250.72.36-mipsel-2024-12-31T13_33_09.elf
                                              File size:52'788 bytes
                                              MD5:55cb568389694191bbbbb32b473596e4
                                              SHA1:51e2020dd084e77c23b2b589464d4e2d88f85e02
                                              SHA256:a0e5d48258b23d1d9ebbfd4f6aa02237041f861f4b9108f04aa34267756296d3
                                              SHA512:7f18316cb5ca6c8d5530b2ca3194efaf8cf10714e4012360f1a044c9b64c7ad1dff772600a8d1ec82ba7277abd0327a35a3bfc9d143101f49aacf27c4de886fa
                                              SSDEEP:384:ymUDkJPyQonihuSMzXk92IHXyLT6BMCq1WYwHuwtyngFi3cjIErBt1OdkrNLNmLV:ymUAyfnGTR+9WYwzyn7Ja8xLvDBC8
                                              TLSH:5033D18EE7426EBBD84EAF71005CC54104EE9CBC72DA5A6B35B9C044FB9F60E1D52D88
                                              File Content Preview:.ELF.................... .@.4...4......p4. ...(. .......4...4.@.4.@.`...`.....................@...@....................p......@...@....................p......@...@...........................@...@...........................A...A.`....A....................@

                                              Static ELF Info

                                              ELF header

                                              Class:ELF32
                                              Data:2's complement, little endian
                                              Version:1 (current)
                                              Machine:MIPS R3000
                                              Version Number:0x1
                                              Type:EXEC (Executable file)
                                              OS/ABI:UNIX - System V
                                              ABI Version:0
                                              Entry Point Address:0x400c20
                                              Flags:0x70001007
                                              ELF Header Size:52
                                              Program Header Offset:52
                                              Program Header Size:32
                                              Number of Program Headers:11
                                              Section Header Offset:51508
                                              Section Header Size:40
                                              Number of Section Headers:32
                                              Header String Table Index:31

                                              Sections

                                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                              NULL0x00x00x00x00x0000
                                              .interpPROGBITS0x4001940x1940xd0x00x2A001
                                              .MIPS.abiflagsMIPS_ABIFLAGS0x4001a80x1a80x180x180x2A008
                                              .reginfoMIPS_REGINFO0x4001c00x1c00x180x180x2A004
                                              .note.gnu.build-idNOTE0x4001d80x1d80x240x00x2A004
                                              .note.ABI-tagNOTE0x4001fc0x1fc0x200x00x2A004
                                              .dynamicDYNAMIC0x40021c0x21c0xe80x80x2A904
                                              .hashHASH0x4003040x3040x1940x40x2A804
                                              .dynsymDYNSYM0x4004980x4980x3e00x100x2A914
                                              .dynstrSTRTAB0x4008780x8780x23e0x00x2A001
                                              .gnu.versionVERSYM0x400ab60xab60x7c0x20x2A802
                                              .gnu.version_rVERNEED0x400b340xb340x700x00x2A924
                                              .initPROGBITS0x400ba40xba40x7c0x00x6AX004
                                              .textPROGBITS0x400c200xc200x87f00x00x6AX0016
                                              .MIPS.stubsPROGBITS0x4094100x94100x3600x00x6AX004
                                              .finiPROGBITS0x4097700x97700x440x00x6AX004
                                              .rodataPROGBITS0x4097c00x97c00x10300x00x2A0016
                                              .eh_framePROGBITS0x40a7f00xa7f00x40x00x2A004
                                              .ctorsPROGBITS0x41aff00xaff00x80x00x3WA004
                                              .dtorsPROGBITS0x41aff80xaff80x80x00x3WA004
                                              .dataPROGBITS0x41b0000xb0000x400x00x3WA0016
                                              .rld_mapPROGBITS0x41b0400xb0400x40x00x3WA004
                                              .gotPROGBITS0x41b0500xb0500xfc0x40x10000003WAp0016
                                              .sdataPROGBITS0x41b14c0xb14c0x40x00x10000003WAp004
                                              .bssNOBITS0x41b1500xb1500x40400x00x3WA0016
                                              .commentPROGBITS0x00xb1500x250x10x30MS001
                                              .pdrPROGBITS0x00xb1780x4a00x00x0004
                                              .gnu.attributesGNU_ATTRIBUTES0x00xb6180x100x00x0001
                                              .mdebug.abi32PROGBITS0x00xb6280x00x00x0001
                                              .symtabSYMTAB0x00xb6280xae00x100x030574
                                              .strtabSTRTAB0x00xc1080x7090x00x0001
                                              .shstrtabSTRTAB0x00xc8110x1210x00x0001

                                              Program Segments

                                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                              PHDR0x340x4000340x4000340x1600x1602.52490x4R 0x4
                                              INTERP0x1940x4001940x4001940xd0xd3.23890x4R 0x1/lib/ld.so.1.interp
                                              ABIFLAGS0x1a80x4001a80x4001a80x180x181.13870x4R 0x8.MIPS.abiflags
                                              <unknown>0x1c00x4001c00x4001c00x180x181.22200x4R 0x4.reginfo
                                              LOAD0x00x4000000x4000000xa7f40xa7f45.31770x5R E0x10000.interp .MIPS.abiflags .reginfo .note.gnu.build-id .note.ABI-tag .dynamic .hash .dynsym .dynstr .gnu.version .gnu.version_r .init .text .MIPS.stubs .fini .rodata .eh_frame
                                              LOAD0xaff00x41aff00x41aff00x1600x41a03.23410x6RW 0x10000.ctors .dtors .data .rld_map .got .sdata .bss
                                              DYNAMIC0x21c0x40021c0x40021c0xe80xe82.71980x4R 0x4.dynamic
                                              NOTE0x1d80x4001d80x4001d80x440x443.36730x4R 0x4.note.gnu.build-id .note.ABI-tag
                                              GNU_STACK0x00x00x00x00x00.00000x7RWE0x10
                                              GNU_RELRO0xaff00x41aff00x41aff00x100x101.00000x4R 0x1.ctors .dtors
                                              NULL0x00x00x00x00x00.00000x0 0x4

                                              Dynamic Tags

                                              TypeMetaValueTag
                                              DT_NEEDEDsharedliblibc.so.60x1
                                              DT_NEEDEDsharedlibld.so.10x1
                                              DT_INITvalue0x400ba40xc
                                              DT_FINIvalue0x4097700xd
                                              DT_HASHvalue0x4003040x4
                                              DT_STRTABvalue0x4008780x5
                                              DT_SYMTABvalue0x4004980x6
                                              DT_STRSZbytes5740xa
                                              DT_SYMENTbytes160xb
                                              DT_MIPS_RLD_MAPvalue0x41b0400x70000016
                                              DT_MIPS_RLD_MAP_RELvalue0x1add40x70000035
                                              DT_DEBUGvalue0x00x15
                                              DT_PLTGOTvalue0x41b0500x3
                                              DT_MIPS_RLD_VERSIONvalue0x10x70000001
                                              DT_MIPS_FLAGSvalue0x20x70000005
                                              DT_MIPS_BASE_ADDRESSvalue0x4000000x70000006
                                              DT_MIPS_LOCAL_GOTNOvalue0x60x7000000a
                                              DT_MIPS_SYMTABNOvalue0x3e0x70000011
                                              DT_MIPS_UNREFEXTNOvalue0x1d0x70000012
                                              DT_MIPS_GOTSYMvalue0x50x70000013
                                              DT_VERNEEDvalue0x400b340x6ffffffe
                                              DT_VERNEEDNUMvalue20x6fffffff
                                              DT_VERSYMvalue0x400ab60x6ffffff0
                                              DT_NULLvalue0x00x0

                                              Symbols

                                              NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
                                              .dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                              _DYNAMIC_LINKING.dynsym0x10SECTION<unknown>DEFAULTSHN_ABS
                                              _IO_stdin_used.dynsym0x4097c04OBJECT<unknown>DEFAULT16
                                              _ITM_deregisterTMCloneTable.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                              _ITM_registerTMCloneTable.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                              __RLD_MAP.dynsym0x41b0400OBJECT<unknown>DEFAULT21
                                              __errno_locationGLIBC_2.0libc.so.6.dynsym0x4096500FUNC<unknown>DEFAULTSHN_UNDEF
                                              __gmon_start__.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                              __libc_start_mainGLIBC_2.34libc.so.6.dynsym0x4094400FUNC<unknown>DEFAULTSHN_UNDEF
                                              __stack_chk_failGLIBC_2.4libc.so.6.dynsym0x4095100FUNC<unknown>DEFAULTSHN_UNDEF
                                              __stack_chk_guardGLIBC_2.4ld.so.1.dynsym0x00OBJECT<unknown>DEFAULTSHN_UNDEF
                                              _exitGLIBC_2.0libc.so.6.dynsym0x4094600FUNC<unknown>DEFAULTSHN_UNDEF
                                              accessGLIBC_2.0libc.so.6.dynsym0x4096700FUNC<unknown>DEFAULTSHN_UNDEF
                                              atoiGLIBC_2.0libc.so.6.dynsym0x4096e00FUNC<unknown>DEFAULTSHN_UNDEF
                                              chdirGLIBC_2.0libc.so.6.dynsym0x4095000FUNC<unknown>DEFAULTSHN_UNDEF
                                              closeGLIBC_2.0libc.so.6.dynsym0x4097400FUNC<unknown>DEFAULTSHN_UNDEF
                                              connectGLIBC_2.0libc.so.6.dynsym0x4097200FUNC<unknown>DEFAULTSHN_UNDEF
                                              exitGLIBC_2.0libc.so.6.dynsym0x4095b00FUNC<unknown>DEFAULTSHN_UNDEF
                                              fcntlGLIBC_2.28libc.so.6.dynsym0x4096400FUNC<unknown>DEFAULTSHN_UNDEF
                                              forkGLIBC_2.0libc.so.6.dynsym0x4096a00FUNC<unknown>DEFAULTSHN_UNDEF
                                              freeGLIBC_2.0libc.so.6.dynsym0x4094800FUNC<unknown>DEFAULTSHN_UNDEF
                                              gethostbynameGLIBC_2.0libc.so.6.dynsym0x4097100FUNC<unknown>DEFAULTSHN_UNDEF
                                              getpidGLIBC_2.0libc.so.6.dynsym0x4095800FUNC<unknown>DEFAULTSHN_UNDEF
                                              getsocknameGLIBC_2.0libc.so.6.dynsym0x4096d00FUNC<unknown>DEFAULTSHN_UNDEF
                                              getsockoptGLIBC_2.0libc.so.6.dynsym0x4095300FUNC<unknown>DEFAULTSHN_UNDEF
                                              htonlGLIBC_2.0libc.so.6.dynsym0x4096b00FUNC<unknown>DEFAULTSHN_UNDEF
                                              htonsGLIBC_2.0libc.so.6.dynsym0x4095200FUNC<unknown>DEFAULTSHN_UNDEF
                                              inet_addrGLIBC_2.0libc.so.6.dynsym0x4097000FUNC<unknown>DEFAULTSHN_UNDEF
                                              inet_ntoaGLIBC_2.0libc.so.6.dynsym0x4094c00FUNC<unknown>DEFAULTSHN_UNDEF
                                              ioctlGLIBC_2.0libc.so.6.dynsym0x4095400FUNC<unknown>DEFAULTSHN_UNDEF
                                              isspaceGLIBC_2.0libc.so.6.dynsym0x4094a00FUNC<unknown>DEFAULTSHN_UNDEF
                                              killGLIBC_2.0libc.so.6.dynsym0x4095c00FUNC<unknown>DEFAULTSHN_UNDEF
                                              main.dynsym0x408a702368FUNC<unknown>DEFAULT13
                                              mallocGLIBC_2.0libc.so.6.dynsym0x4095900FUNC<unknown>DEFAULTSHN_UNDEF
                                              memcpyGLIBC_2.0libc.so.6.dynsym0x4094900FUNC<unknown>DEFAULTSHN_UNDEF
                                              memmoveGLIBC_2.0libc.so.6.dynsym0x4094700FUNC<unknown>DEFAULTSHN_UNDEF
                                              memsetGLIBC_2.0libc.so.6.dynsym0x4096300FUNC<unknown>DEFAULTSHN_UNDEF
                                              ntohlGLIBC_2.0libc.so.6.dynsym0x4095a00FUNC<unknown>DEFAULTSHN_UNDEF
                                              openGLIBC_2.0libc.so.6.dynsym0x4095d00FUNC<unknown>DEFAULTSHN_UNDEF
                                              randGLIBC_2.0libc.so.6.dynsym0x4096600FUNC<unknown>DEFAULTSHN_UNDEF
                                              readGLIBC_2.0libc.so.6.dynsym0x4094500FUNC<unknown>DEFAULTSHN_UNDEF
                                              recvGLIBC_2.0libc.so.6.dynsym0x4097300FUNC<unknown>DEFAULTSHN_UNDEF
                                              selectGLIBC_2.0libc.so.6.dynsym0x4094f00FUNC<unknown>DEFAULTSHN_UNDEF
                                              sendGLIBC_2.0libc.so.6.dynsym0x4097500FUNC<unknown>DEFAULTSHN_UNDEF
                                              sendtoGLIBC_2.0libc.so.6.dynsym0x4096800FUNC<unknown>DEFAULTSHN_UNDEF
                                              setsidGLIBC_2.0libc.so.6.dynsym0x4095e00FUNC<unknown>DEFAULTSHN_UNDEF
                                              setsockoptGLIBC_2.0libc.so.6.dynsym0x4094100FUNC<unknown>DEFAULTSHN_UNDEF
                                              signalGLIBC_2.0libc.so.6.dynsym0x4094d00FUNC<unknown>DEFAULTSHN_UNDEF
                                              sleepGLIBC_2.0libc.so.6.dynsym0x4094e00FUNC<unknown>DEFAULTSHN_UNDEF
                                              socketGLIBC_2.0libc.so.6.dynsym0x4096f00FUNC<unknown>DEFAULTSHN_UNDEF
                                              srandGLIBC_2.0libc.so.6.dynsym0x4095f00FUNC<unknown>DEFAULTSHN_UNDEF
                                              strchrGLIBC_2.0libc.so.6.dynsym0x4096000FUNC<unknown>DEFAULTSHN_UNDEF
                                              strcmpGLIBC_2.0libc.so.6.dynsym0x4094300FUNC<unknown>DEFAULTSHN_UNDEF
                                              strcpyGLIBC_2.0libc.so.6.dynsym0x4095700FUNC<unknown>DEFAULTSHN_UNDEF
                                              strlenGLIBC_2.0libc.so.6.dynsym0x4096100FUNC<unknown>DEFAULTSHN_UNDEF
                                              strstrGLIBC_2.0libc.so.6.dynsym0x4094200FUNC<unknown>DEFAULTSHN_UNDEF
                                              strtokGLIBC_2.0libc.so.6.dynsym0x4096900FUNC<unknown>DEFAULTSHN_UNDEF
                                              timeGLIBC_2.0libc.so.6.dynsym0x4094b00FUNC<unknown>DEFAULTSHN_UNDEF
                                              toupperGLIBC_2.0libc.so.6.dynsym0x4096c00FUNC<unknown>DEFAULTSHN_UNDEF
                                              usleepGLIBC_2.0libc.so.6.dynsym0x4095600FUNC<unknown>DEFAULTSHN_UNDEF
                                              waitpidGLIBC_2.0libc.so.6.dynsym0x4095500FUNC<unknown>DEFAULTSHN_UNDEF
                                              writeGLIBC_2.0libc.so.6.dynsym0x4096200FUNC<unknown>DEFAULTSHN_UNDEF
                                              .symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                              .symtab0x4001940SECTION<unknown>DEFAULT1
                                              .symtab0x4001a80SECTION<unknown>DEFAULT2
                                              .symtab0x4001c00SECTION<unknown>DEFAULT3
                                              .symtab0x4001d80SECTION<unknown>DEFAULT4
                                              GLIBC_2.0libc.so.6.symtab0x4001fc0SECTION<unknown>DEFAULT5
                                              GLIBC_2.0libc.so.6.symtab0x40021c0SECTION<unknown>DEFAULT6
                                              GLIBC_2.0libc.so.6.symtab0x4003040SECTION<unknown>DEFAULT7
                                              GLIBC_2.0libc.so.6.symtab0x4004980SECTION<unknown>DEFAULT8
                                              GLIBC_2.0libc.so.6.symtab0x4008780SECTION<unknown>DEFAULT9
                                              GLIBC_2.0libc.so.6.symtab0x400ab60SECTION<unknown>DEFAULT10
                                              .symtab0x400b340SECTION<unknown>DEFAULT11
                                              GLIBC_2.0libc.so.6.symtab0x400ba40SECTION<unknown>DEFAULT12
                                              GLIBC_2.0libc.so.6.symtab0x400c200SECTION<unknown>DEFAULT13
                                              GLIBC_2.0libc.so.6.symtab0x4094100SECTION<unknown>DEFAULT14
                                              GLIBC_2.0libc.so.6.symtab0x4097700SECTION<unknown>DEFAULT15
                                              GLIBC_2.0libc.so.6.symtab0x4097c00SECTION<unknown>DEFAULT16
                                              GLIBC_2.0libc.so.6.symtab0x40a7f00SECTION<unknown>DEFAULT17
                                              GLIBC_2.0libc.so.6.symtab0x41aff00SECTION<unknown>DEFAULT18
                                              GLIBC_2.0libc.so.6.symtab0x41aff80SECTION<unknown>DEFAULT19
                                              GLIBC_2.0libc.so.6.symtab0x41b0000SECTION<unknown>DEFAULT20
                                              GLIBC_2.0libc.so.6.symtab0x41b0400SECTION<unknown>DEFAULT21
                                              GLIBC_2.0libc.so.6.symtab0x41b0500SECTION<unknown>DEFAULT22
                                              GLIBC_2.28libc.so.6.symtab0x41b14c0SECTION<unknown>DEFAULT23
                                              GLIBC_2.0libc.so.6.symtab0x41b1500SECTION<unknown>DEFAULT24
                                              GLIBC_2.0libc.so.6.symtab0x00SECTION<unknown>DEFAULT25
                                              GLIBC_2.0libc.so.6.symtab0x00SECTION<unknown>DEFAULT26
                                              GLIBC_2.0libc.so.6.symtab0x00SECTION<unknown>DEFAULT27
                                              GLIBC_2.0libc.so.6.symtab0x00SECTION<unknown>DEFAULT28
                                              GLIBC_2.0libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
                                              QGLIBC_2.0libc.so.6.symtab0x41b18416384OBJECT<unknown>DEFAULT24
                                              SendSTD.symtab0x40491c472FUNC<unknown>DEFAULT13
                                              SendSTDHEX.symtab0x403bdc496FUNC<unknown>DEFAULT13
                                              SendSTD_HEX.symtab0x404cd8544FUNC<unknown>DEFAULT13
                                              SendUDP.symtab0x402e241512FUNC<unknown>DEFAULT13
                                              _DYNAMICGLIBC_2.0libc.so.6.symtab0x40021c0OBJECT<unknown>DEFAULT6
                                              _DYNAMIC_LINKING.symtab0x10SECTION<unknown>DEFAULTSHN_ABS
                                              _GLOBAL_OFFSET_TABLE_.symtab0x41b0500OBJECT<unknown>HIDDEN22
                                              _IO_stdin_used.symtab0x4097c04OBJECT<unknown>DEFAULT16
                                              _ITM_deregisterTMCloneTable.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                              _ITM_registerTMCloneTable.symtab0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                              _MIPS_STUBS_GLIBC_2.0libc.so.6.symtab0x4094100FUNC<unknown>DEFAULT14
                                              __CTOR_END__GLIBC_2.0libc.so.6.symtab0x41aff40OBJECT<unknown>DEFAULT18
                                              __CTOR_LIST__.symtab0x41aff00OBJECT<unknown>DEFAULT18
                                              __DTOR_END__.symtab0x41affc0OBJECT<unknown>HIDDEN19
                                              __DTOR_LIST__GLIBC_2.0libc.so.6.symtab0x41aff80OBJECT<unknown>DEFAULT19
                                              __FRAME_END__GLIBC_2.4libc.so.6.symtab0x40a7f00OBJECT<unknown>DEFAULT17
                                              __RLD_MAP.symtab0x41b0400OBJECT<unknown>DEFAULT21
                                              __TMC_END__.symtab0x41b0440OBJECT<unknown>HIDDEN21
                                              __abi_tagGLIBC_2.0libc.so.6.symtab0x4001fc32OBJECT<unknown>DEFAULT5
                                              __bss_start.symtab0x41b1500NOTYPE<unknown>DEFAULT24
                                              __data_start.symtab0x41b0000NOTYPE<unknown>DEFAULT20
                                              __do_global_ctors_auxGLIBC_2.0libc.so.6.symtab0x4093b00FUNC<unknown>DEFAULT13
                                              __do_global_dtors_auxGLIBC_2.0libc.so.6.symtab0x400d040FUNC<unknown>DEFAULT13
                                              __dso_handle.symtab0x41b14c0OBJECT<unknown>HIDDEN23
                                              __errno_location@GLIBC_2.0.symtab0x4096500FUNC<unknown>DEFAULTSHN_UNDEF
                                              __gmon_start__.symtab0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                              __libc_start_main@GLIBC_2.34GLIBC_2.0libc.so.6.symtab0x4094400FUNC<unknown>DEFAULTSHN_UNDEF
                                              __stack_chk_fail@GLIBC_2.4.symtab0x4095100FUNC<unknown>DEFAULTSHN_UNDEF
                                              __stack_chk_guard@GLIBC_2.4.symtab0x00OBJECT<unknown>DEFAULTSHN_UNDEF
                                              __start.symtab0x400c200FUNC<unknown>DEFAULT13
                                              _edata.symtab0x41b1500NOTYPE<unknown>DEFAULT23
                                              _end.symtab0x41f1900NOTYPE<unknown>DEFAULT24
                                              _exit@GLIBC_2.0.symtab0x4094600FUNC<unknown>DEFAULTSHN_UNDEF
                                              _fbss.symtab0x41b1500NOTYPE<unknown>DEFAULT24
                                              _fdata.symtab0x41b0000NOTYPE<unknown>DEFAULT20
                                              _fini.symtab0x4097700FUNC<unknown>HIDDEN15
                                              _ftext.symtab0x400c200NOTYPE<unknown>DEFAULT13
                                              _gp.symtab0x4230400NOTYPE<unknown>DEFAULT22
                                              _init.symtab0x400ba40FUNC<unknown>HIDDEN12
                                              access@GLIBC_2.0.symtab0x4096700FUNC<unknown>DEFAULTSHN_UNDEF
                                              astd.symtab0x40645c492FUNC<unknown>DEFAULT13
                                              atcp.symtab0x405c8c2000FUNC<unknown>DEFAULT13
                                              atoi@GLIBC_2.0.symtab0x4096e00FUNC<unknown>DEFAULTSHN_UNDEF
                                              audp.symtab0x4054e81956FUNC<unknown>DEFAULT13
                                              bot.cGLIBC_2.0libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
                                              cGLIBC_2.0libc.so.6.symtab0x41b0144OBJECT<unknown>DEFAULT20
                                              chdir@GLIBC_2.0.symtab0x4095000FUNC<unknown>DEFAULTSHN_UNDEF
                                              close@GLIBC_2.0.symtab0x4097400FUNC<unknown>DEFAULTSHN_UNDEF
                                              commServer.symtab0x41b0204OBJECT<unknown>DEFAULT20
                                              completed.1GLIBC_2.0libc.so.6.symtab0x41b1501OBJECT<unknown>DEFAULT24
                                              connect@GLIBC_2.0.symtab0x4097200FUNC<unknown>DEFAULTSHN_UNDEF
                                              connectTimeout.symtab0x402560872FUNC<unknown>DEFAULT13
                                              crt1.oGLIBC_2.0libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
                                              crtstuff.cGLIBC_2.0libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
                                              crtstuff.cGLIBC_2.0libc.so.6.symtab0x00FILE<unknown>DEFAULTSHN_ABS
                                              csum.symtab0x402aa8312FUNC<unknown>DEFAULT13
                                              currentServer.symtab0x41b0104OBJECT<unknown>DEFAULT20
                                              data_start.symtab0x41b0000NOTYPE<unknown>DEFAULT20
                                              deregister_tm_clonesGLIBC_2.0libc.so.6.symtab0x400c800FUNC<unknown>DEFAULT13
                                              dtor_idx.0GLIBC_2.0libc.so.6.symtab0x41b1544OBJECT<unknown>DEFAULT24
                                              exit@GLIBC_2.0.symtab0x4095b00FUNC<unknown>DEFAULTSHN_UNDEF
                                              fcntl@GLIBC_2.28.symtab0x4096400FUNC<unknown>DEFAULTSHN_UNDEF
                                              fdgets.symtab0x4010bc240FUNC<unknown>DEFAULT13
                                              fork@GLIBC_2.0.symtab0x4096a00FUNC<unknown>DEFAULTSHN_UNDEF
                                              frame_dummyGLIBC_2.0libc.so.6.symtab0x400db40FUNC<unknown>DEFAULT13
                                              free@GLIBC_2.0.symtab0x4094800FUNC<unknown>DEFAULTSHN_UNDEF
                                              ftcp.symtab0x40340c2000FUNC<unknown>DEFAULT13
                                              getArch.symtab0x40664840FUNC<unknown>DEFAULT13
                                              getHost.symtab0x40207c132FUNC<unknown>DEFAULT13
                                              getOurIP.symtab0x4011ac880FUNC<unknown>DEFAULT13
                                              getPortz.symtab0x406670316FUNC<unknown>DEFAULT13
                                              getRandomIP.symtab0x401030140FUNC<unknown>DEFAULT13
                                              gethostbyname@GLIBC_2.0.symtab0x4097100FUNC<unknown>DEFAULTSHN_UNDEF
                                              getpid@GLIBC_2.0.symtab0x4095800FUNC<unknown>DEFAULTSHN_UNDEF
                                              getsockname@GLIBC_2.0.symtab0x4096d00FUNC<unknown>DEFAULTSHN_UNDEF
                                              getsockopt@GLIBC_2.0.symtab0x4095300FUNC<unknown>DEFAULTSHN_UNDEF
                                              gotIPGLIBC_2.0libc.so.6.symtab0x41b1644OBJECT<unknown>DEFAULT24
                                              hltGLIBC_2.0libc.so.6.symtab0x400c700NOTYPE<unknown>DEFAULT13
                                              htonl@GLIBC_2.0.symtab0x4096b00FUNC<unknown>DEFAULTSHN_UNDEF
                                              htons@GLIBC_2.0.symtab0x4095200FUNC<unknown>DEFAULTSHN_UNDEF
                                              i.0GLIBC_2.0libc.so.6.symtab0x41b0184OBJECT<unknown>DEFAULT20
                                              inet_addr@GLIBC_2.0.symtab0x4097000FUNC<unknown>DEFAULTSHN_UNDEF
                                              inet_ntoa@GLIBC_2.0.symtab0x4094c00FUNC<unknown>DEFAULTSHN_UNDEF
                                              initConnection.symtab0x408838568FUNC<unknown>DEFAULT13
                                              init_rand.symtab0x400dc0260FUNC<unknown>DEFAULT13
                                              ioctl@GLIBC_2.0.symtab0x4095400FUNC<unknown>DEFAULTSHN_UNDEF
                                              isspace@GLIBC_2.0.symtab0x4094a00FUNC<unknown>DEFAULTSHN_UNDEF
                                              kill@GLIBC_2.0.symtab0x4095c00FUNC<unknown>DEFAULTSHN_UNDEF
                                              listFork.symtab0x4028c8480FUNC<unknown>DEFAULT13
                                              macAddress.symtab0x41b17c6OBJECT<unknown>DEFAULT24
                                              main.symtab0x408a702368FUNC<unknown>DEFAULT13
                                              mainCommSock.symtab0x41b1604OBJECT<unknown>DEFAULT24
                                              makeIPPacket.symtab0x402d48220FUNC<unknown>DEFAULT13
                                              makeRandomStr.symtab0x402100176FUNC<unknown>DEFAULT13
                                              makevsepacket.symtab0x403f9c312FUNC<unknown>DEFAULT13
                                              malloc@GLIBC_2.0.symtab0x4095900FUNC<unknown>DEFAULTSHN_UNDEF
                                              memcpy@GLIBC_2.0.symtab0x4094900FUNC<unknown>DEFAULTSHN_UNDEF
                                              memmove@GLIBC_2.0.symtab0x4094700FUNC<unknown>DEFAULTSHN_UNDEF
                                              memset@GLIBC_2.0.symtab0x4096300FUNC<unknown>DEFAULTSHN_UNDEF
                                              ntohl@GLIBC_2.0.symtab0x4095a00FUNC<unknown>DEFAULTSHN_UNDEF
                                              numpids.symtab0x41b1708OBJECT<unknown>DEFAULT24
                                              open@GLIBC_2.0.symtab0x4095d00FUNC<unknown>DEFAULTSHN_UNDEF
                                              ourIP.symtab0x41b1784OBJECT<unknown>DEFAULT24
                                              pids.symtab0x41b1684OBJECT<unknown>DEFAULT24
                                              printGLIBC_2.0libc.so.6.symtab0x401ac41092FUNC<unknown>DEFAULT13
                                              printcharGLIBC_2.0libc.so.6.symtab0x401690160FUNC<unknown>DEFAULT13
                                              printiGLIBC_2.4ld.so.1.symtab0x4018b8524FUNC<unknown>DEFAULT13
                                              printsGLIBC_2.0libc.so.6.symtab0x401730392FUNC<unknown>DEFAULT13
                                              processCmd.symtab0x4067ac8332FUNC<unknown>DEFAULT13
                                              rand@GLIBC_2.0.symtab0x4096600FUNC<unknown>DEFAULTSHN_UNDEF
                                              rand_cmwc.symtab0x400ec4364FUNC<unknown>DEFAULT13
                                              read@GLIBC_2.0.symtab0x4094500FUNC<unknown>DEFAULTSHN_UNDEF
                                              recv@GLIBC_2.0.symtab0x4097300FUNC<unknown>DEFAULTSHN_UNDEF
                                              recvLine.symtab0x4021b0944FUNC<unknown>DEFAULT13
                                              register_tm_clonesGLIBC_2.0libc.so.6.symtab0x400cb80FUNC<unknown>DEFAULT13
                                              rtcp.symtab0x404ef81520FUNC<unknown>DEFAULT13
                                              select@GLIBC_2.0.symtab0x4094f00FUNC<unknown>DEFAULTSHN_UNDEF
                                              send@GLIBC_2.0.symtab0x4097500FUNC<unknown>DEFAULTSHN_UNDEF
                                              sendto@GLIBC_2.0.symtab0x4096800FUNC<unknown>DEFAULTSHN_UNDEF
                                              setsid@GLIBC_2.0.symtab0x4095e00FUNC<unknown>DEFAULTSHN_UNDEF
                                              setsockopt@GLIBC_2.0GLIBC_2.0libc.so.6.symtab0x4094100FUNC<unknown>DEFAULTSHN_UNDEF
                                              signal@GLIBC_2.0.symtab0x4094d00FUNC<unknown>DEFAULTSHN_UNDEF
                                              sleep@GLIBC_2.0.symtab0x4094e00FUNC<unknown>DEFAULTSHN_UNDEF
                                              socket@GLIBC_2.0.symtab0x4096f00FUNC<unknown>DEFAULTSHN_UNDEF
                                              socket_connect.symtab0x403dcc464FUNC<unknown>DEFAULT13
                                              sockprintf.symtab0x401f08372FUNC<unknown>DEFAULT13
                                              srand@GLIBC_2.0.symtab0x4095f00FUNC<unknown>DEFAULTSHN_UNDEF
                                              stdhexflood.symtab0x404af4484FUNC<unknown>DEFAULT13
                                              strchr@GLIBC_2.0.symtab0x4096000FUNC<unknown>DEFAULTSHN_UNDEF
                                              strcmp@GLIBC_2.0GLIBC_2.0libc.so.6.symtab0x4094300FUNC<unknown>DEFAULTSHN_UNDEF
                                              strcpy@GLIBC_2.0.symtab0x4095700FUNC<unknown>DEFAULTSHN_UNDEF
                                              strlen@GLIBC_2.0.symtab0x4096100FUNC<unknown>DEFAULTSHN_UNDEF
                                              strstr@GLIBC_2.0GLIBC_2.34libc.so.6.symtab0x4094200FUNC<unknown>DEFAULTSHN_UNDEF
                                              strtok@GLIBC_2.0.symtab0x4096900FUNC<unknown>DEFAULTSHN_UNDEF
                                              tcpcsum.symtab0x402be0360FUNC<unknown>DEFAULT13
                                              time@GLIBC_2.0.symtab0x4094b00FUNC<unknown>DEFAULTSHN_UNDEF
                                              toupper@GLIBC_2.0.symtab0x4096c00FUNC<unknown>DEFAULTSHN_UNDEF
                                              trim.symtab0x40151c372FUNC<unknown>DEFAULT13
                                              useragents.symtab0x41b02428OBJECT<unknown>DEFAULT20
                                              usleep@GLIBC_2.0.symtab0x4095600FUNC<unknown>DEFAULTSHN_UNDEF
                                              vseattack.symtab0x4040d42120FUNC<unknown>DEFAULT13
                                              waitpid@GLIBC_2.0.symtab0x4095500FUNC<unknown>DEFAULTSHN_UNDEF
                                              write@GLIBC_2.0.symtab0x4096200FUNC<unknown>DEFAULTSHN_UNDEF

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 31, 2024 17:03:56.313676119 CET43928443192.168.2.2391.189.91.42
                                              Dec 31, 2024 17:04:01.689177990 CET42836443192.168.2.2391.189.91.43
                                              Dec 31, 2024 17:04:03.480792046 CET4251680192.168.2.23109.202.202.202
                                              Dec 31, 2024 17:04:16.790968895 CET43928443192.168.2.2391.189.91.42
                                              Dec 31, 2024 17:04:29.077236891 CET42836443192.168.2.2391.189.91.43
                                              Dec 31, 2024 17:04:33.172697067 CET4251680192.168.2.23109.202.202.202
                                              Dec 31, 2024 17:04:57.745269060 CET43928443192.168.2.2391.189.91.42

                                              System Behavior

                                              General

                                              Start time (UTC):16:03:54
                                              Start date (UTC):31/12/2024
                                              Path:/tmp/89.250.72.36-mipsel-2024-12-31T13_33_09.elf
                                              Arguments:/tmp/89.250.72.36-mipsel-2024-12-31T13_33_09.elf
                                              File size:5773336 bytes
                                              MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                              Chronological Activities