Edit tour

Linux Analysis Report
wind.spc.elf

Overview

General Information

Sample name:	wind.spc.elf
Analysis ID:	1583161
MD5:	8f00e22d7347c6ff340fe95cd872f89d
SHA1:	21ddad83e72c0300ab1e373845298497e4188efb
SHA256:	175467743109e720a36994b63b80f60f8b009c2f8eedea1c8c65de3225223af9
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample tries to kill multiple processes (SIGKILL)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583161
Start date and time:	2025-01-02 05:25:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	wind.spc.elf
Detection:	MAL
Classification:	mal76.spre.troj.linELF@0/0@2/0

Runtime Messages

Command:	/tmp/wind.spc.elf
PID:	5834
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

wind.spc.elf (PID: 5834, Parent: 5761, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/wind.spc.elf

wind.spc.elf New Fork (PID: 5837, Parent: 5834)

wind.spc.elf New Fork (PID: 5839, Parent: 5834)

wind.spc.elf New Fork (PID: 5840, Parent: 5834)

xfce4-panel New Fork (PID: 5844, Parent: 3235)

wrapper-2.0 (PID: 5844, Parent: 3235, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"

xfce4-panel New Fork (PID: 5845, Parent: 3235)

wrapper-2.0 (PID: 5845, Parent: 3235, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"

xfce4-panel New Fork (PID: 5846, Parent: 3235)

wrapper-2.0 (PID: 5846, Parent: 3235, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"

xfce4-panel New Fork (PID: 5847, Parent: 3235)

wrapper-2.0 (PID: 5847, Parent: 3235, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"

xfce4-panel New Fork (PID: 5848, Parent: 3235)

wrapper-2.0 (PID: 5848, Parent: 3235, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"

xfce4-panel New Fork (PID: 5849, Parent: 3235)

wrapper-2.0 (PID: 5849, Parent: 3235, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wind.spc.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
wind.spc.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc958:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc96c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc980:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc994:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcaac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
wind.spc.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xceb8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

Memory Dumps

Source	Rule	Description	Author	Strings
5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc958:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc96c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc980:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc994:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcaac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xceb8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc958:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc96c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc980:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc994:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc9f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xca98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcaac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xcae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0xceb8:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: wind.spc.elf PID: 5834	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: wind.spc.elf PID: 5834	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x5993:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a0b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a1f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a33:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a47:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a5b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a6f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a83:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5a97:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5aab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5abf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ad3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ae7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5afb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b0f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b23:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: wind.spc.elf PID: 5834	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x5e51:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: wind.spc.elf PID: 5839	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: wind.spc.elf PID: 5839	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x229d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x22b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x22c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x22d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x22ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2301:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2315:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2329:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x233d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2351:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2365:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2379:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x238d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x23a1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x23b5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x23c9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x23dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x23f1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2405:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2419:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x242d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: wind.spc.elf PID: 5839	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x275b:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 7 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wind.spc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: wind.spc.elf	ReversingLabs: Detection: 65%
Source: wind.spc.elf	Virustotal: Detection: 63%			Perma Link

Source: global traffic

TCP traffic: 192.168.2.15:57914 -> 45.95.169.120:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120
Source: unknown	TCP traffic detected without corresponding DNS query: 45.95.169.120

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

Malicious sample detected (through community Yara rule)

Source: wind.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: wind.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: wind.spc.elf PID: 5834, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: wind.spc.elf PID: 5834, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: wind.spc.elf PID: 5839, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: wind.spc.elf PID: 5839, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3192, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3249, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3250, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3251, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3252, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3253, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3255, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3272, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3274, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3298, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5844, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5845, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5846, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5847, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5848, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5849, result: successful	Jump to behavior

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3192, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3249, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3250, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3251, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3252, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3253, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3255, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3272, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3274, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 3298, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5844, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5845, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5846, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5847, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5848, result: successful	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	SIGKILL sent: pid: 5849, result: successful	Jump to behavior

Source: wind.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: wind.spc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: wind.spc.elf PID: 5834, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: wind.spc.elf PID: 5834, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: wind.spc.elf PID: 5839, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: wind.spc.elf PID: 5839, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.spre.troj.linELF@0/0@2/0

Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5783/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1185/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3241/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3483/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1732/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1730/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1333/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1695/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3235/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3234/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/911/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/515/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1617/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1615/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3255/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3253/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1591/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3252/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3251/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3250/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/4181/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1623/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3249/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/764/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3368/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1585/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3246/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3488/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/766/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/888/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5820/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1509/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5821/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/804/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3800/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3801/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1867/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3407/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5840/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1484/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1514/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1634/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1479/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1875/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/654/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3379/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/655/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/656/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/931/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1595/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/657/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/812/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/779/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/658/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/933/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5678/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/418/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/419/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3419/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3310/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3275/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3274/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3273/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3394/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3272/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5849/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/782/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3303/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1762/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3027/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1486/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/789/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1806/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5844/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5845/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3701/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5846/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5847/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/5848/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1660/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3440/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/793/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/794/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3316/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/674/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/796/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/675/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/676/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1498/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1497/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1496/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3157/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3278/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3399/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3798/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/3799/cmdline	Jump to behavior
Source: /tmp/wind.spc.elf (PID: 5837)	File opened: /proc/1659/cmdline	Jump to behavior

Source: /tmp/wind.spc.elf (PID: 5834)

Queries kernel information via 'uname':

Jump to behavior

Source: wind.spc.elf, 5834.1.000055fea8bce000.000055fea8c53000.rw-.sdmp, wind.spc.elf, 5839.1.000055fea8bce000.000055fea8c53000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: wind.spc.elf, 5834.1.000055fea8bce000.000055fea8c53000.rw-.sdmp, wind.spc.elf, 5839.1.000055fea8bce000.000055fea8c53000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: wind.spc.elf, 5834.1.00007fffad26f000.00007fffad290000.rw-.sdmp, wind.spc.elf, 5839.1.00007fffad26f000.00007fffad290000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/wind.spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/wind.spc.elf
Source: wind.spc.elf, 5834.1.00007fffad26f000.00007fffad290000.rw-.sdmp, wind.spc.elf, 5839.1.00007fffad26f000.00007fffad290000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: wind.spc.elf, type: SAMPLE
Source: Yara match	File source: 5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wind.spc.elf PID: 5834, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wind.spc.elf PID: 5839, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: wind.spc.elf, type: SAMPLE
Source: Yara match	File source: 5839.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5834.1.00007f5f14011000.00007f5f1401f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wind.spc.elf PID: 5834, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wind.spc.elf PID: 5839, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wind.spc.elf	66%	ReversingLabs	Linux.Backdoor.Mirai
wind.spc.elf	63%	Virustotal		Browse
wind.spc.elf	100%	Avira	EXP/ELF.Gafgyt.D

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.25	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.95.169.120	unknown	Croatia (LOCAL Name: Hrvatska)		42864	GIGANET-HUGigaNetInternetServiceProviderCoHU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.95.169.120	wind.mpsl.elf	Get hash	malicious	Mirai	Browse
	wind.arm7.elf	Get hash	malicious	Mirai	Browse
	m68k.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Mirai	Browse
	x86.elf	Get hash	malicious	Mirai	Browse
	45.95.169.120-mips-2025-01-02T00_17_36.elf	Get hash	malicious	Mirai	Browse
	qlmOM0y98B	Get hash	malicious	Unknown	Browse
	3tgXa7CGc1	Get hash	malicious	Unknown	Browse
	rijsTqU0If	Get hash	malicious	Unknown	Browse
	csB31kWt10	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	wind.mpsl.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	wind.arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	arm.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	i.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	loligang.arm6.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	loligang.arm5.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	B_Y_T_E_x86.elf	Get hash	malicious	Mirai, Okiru	Browse	162.213.35.25
	main_x86_64.elf	Get hash	malicious	Gafgyt, Mirai, Okiru	Browse	162.213.35.25
	89.250.72.36-mips-2024-12-31T13_33_10.elf	Get hash	malicious	Gafgyt	Browse	162.213.35.24
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GIGANET-HUGigaNetInternetServiceProviderCoHU	wind.mpsl.elf	Get hash	malicious	Mirai	Browse	45.95.169.120
	wind.arm7.elf	Get hash	malicious	Mirai	Browse	45.95.169.120
	m68k.elf	Get hash	malicious	Mirai	Browse	45.95.169.120
	arm.elf	Get hash	malicious	Mirai	Browse	45.95.169.120
	x86.elf	Get hash	malicious	Mirai	Browse	45.95.169.120
	45.95.169.120-mips-2025-01-02T00_17_36.elf	Get hash	malicious	Mirai	Browse	45.95.169.120
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	92.52.211.236
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	88.209.217.191
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	5.180.123.145
	IsopYwsaG5.elf	Get hash	malicious	Unknown	Browse	45.95.169.122

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.0664193078609525
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	wind.spc.elf
File size:	58'376 bytes
MD5:	8f00e22d7347c6ff340fe95cd872f89d
SHA1:	21ddad83e72c0300ab1e373845298497e4188efb
SHA256:	175467743109e720a36994b63b80f60f8b009c2f8eedea1c8c65de3225223af9
SHA512:	d4da2fb2c793c265670a02f6c6537e472eebf9dcacaae11b1ed1cc5dc5355c04b142d80734460748cf7f9183a425e938a505e0e152f1c4eed5e17687e5c45367
SSDEEP:	768:RqowmZPu9wtnfbltWgC6BSJsBcfDSTFIuQKqgESnmC/xO+KpAwU:RqtmZPuutfbltZFBSJsBcfDSTFI+BEU
TLSH:	68432921B63A1F13D0E0A47D21FB4B59B1A15ADE26A4C64E7D720F4FFF11680A943DB8
File Content Preview:	.ELF...........................4...x.....4. ...(.......................................................8...P........dt.Q................................@..(....@.2.................#.....b8..`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	57976
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0xc888	0x0	0x6	AX	4
.fini	PROGBITS	0x1c938	0xc938	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1c950	0xc950	0x11b0	0x0	0x2	A	8
.ctors	PROGBITS	0x2e000	0xe000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x2e008	0xe008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x2e018	0xe018	0x220	0x0	0x3	WA	8
.bss	NOBITS	0x2e238	0xe238	0x318	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xe238	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0xdb00	0xdb00	6.1729	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xe000	0x2e000	0x2e000	0x238	0x550	2.9229	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 05:26:20.950009108 CET	57914	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:20.954932928 CET	3778	57914	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:20.954987049 CET	57914	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:20.975811958 CET	57914	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:20.980647087 CET	3778	57914	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:20.980680943 CET	57914	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:20.985502005 CET	3778	57914	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:21.602365971 CET	3778	57914	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:21.602427006 CET	57914	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:21.602607965 CET	57914	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:21.636461973 CET	57916	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:21.641346931 CET	3778	57916	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:21.641673088 CET	57916	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:21.648077011 CET	57916	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:21.652808905 CET	3778	57916	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:21.652868986 CET	57916	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:21.657706976 CET	3778	57916	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:22.307671070 CET	3778	57916	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:22.307790995 CET	57916	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.307790995 CET	57916	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.308763981 CET	57918	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.313601017 CET	3778	57918	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:22.313656092 CET	57918	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.315112114 CET	57918	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.319935083 CET	3778	57918	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:22.319983006 CET	57918	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.324839115 CET	3778	57918	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:22.987725973 CET	3778	57918	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:22.987783909 CET	57918	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:22.987833977 CET	57918	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.033693075 CET	57920	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.038542032 CET	3778	57920	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:23.038592100 CET	57920	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.095658064 CET	57920	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.100461960 CET	3778	57920	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:23.100506067 CET	57920	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.105267048 CET	3778	57920	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:23.684323072 CET	3778	57920	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:23.684374094 CET	57920	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.684416056 CET	57920	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.685201883 CET	57922	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.689976931 CET	3778	57922	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:23.690071106 CET	57922	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.691783905 CET	57922	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.705439091 CET	3778	57922	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:23.705485106 CET	57922	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:23.710258961 CET	3778	57922	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:24.358453035 CET	3778	57922	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:24.358561993 CET	57922	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:24.358561993 CET	57922	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:24.359707117 CET	57924	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:24.364573956 CET	3778	57924	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:24.364625931 CET	57924	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:24.367166996 CET	57924	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:24.371937037 CET	3778	57924	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:24.372160912 CET	57924	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:24.376979113 CET	3778	57924	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.016273975 CET	3778	57924	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.016334057 CET	57924	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.016390085 CET	57924	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.017537117 CET	57926	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.022351980 CET	3778	57926	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.022440910 CET	57926	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.024626017 CET	57926	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.029437065 CET	3778	57926	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.029499054 CET	57926	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.034288883 CET	3778	57926	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.665767908 CET	3778	57926	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.665829897 CET	57926	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.665961027 CET	57926	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.667017937 CET	57928	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.671804905 CET	3778	57928	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.672075033 CET	57928	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.676146030 CET	57928	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.680982113 CET	3778	57928	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:25.681030035 CET	57928	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:25.685854912 CET	3778	57928	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.319300890 CET	3778	57928	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.319380999 CET	57928	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.319489956 CET	57928	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.321099997 CET	57930	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.325968981 CET	3778	57930	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.326067924 CET	57930	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.328887939 CET	57930	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.333693981 CET	3778	57930	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.333744049 CET	57930	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.338577986 CET	3778	57930	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.970410109 CET	3778	57930	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.973516941 CET	57930	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.973516941 CET	57930	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.989501953 CET	57932	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:26.994760036 CET	3778	57932	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:26.994816065 CET	57932	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.065438986 CET	57932	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.070512056 CET	3778	57932	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:27.073436022 CET	57932	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.078404903 CET	3778	57932	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:27.643361092 CET	3778	57932	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:27.643531084 CET	57932	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.643532038 CET	57932	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.644057989 CET	57934	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.648926973 CET	3778	57934	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:27.648997068 CET	57934	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.649732113 CET	57934	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.654668093 CET	3778	57934	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:27.654727936 CET	57934	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:27.659651041 CET	3778	57934	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.305654049 CET	3778	57934	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.305751085 CET	57934	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.305859089 CET	57934	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.306588888 CET	57936	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.311461926 CET	3778	57936	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.311532021 CET	57936	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.312400103 CET	57936	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.317281961 CET	3778	57936	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.317348003 CET	57936	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.322211027 CET	3778	57936	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.960678101 CET	3778	57936	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.960768938 CET	57936	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.960828066 CET	57936	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.961289883 CET	57938	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.966063976 CET	3778	57938	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.966109037 CET	57938	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.966746092 CET	57938	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.971549988 CET	3778	57938	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:28.971585989 CET	57938	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:28.976377010 CET	3778	57938	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:29.613404989 CET	3778	57938	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:29.613559961 CET	57938	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:29.613610029 CET	57938	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:29.614079952 CET	57940	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:29.618948936 CET	3778	57940	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:29.618999958 CET	57940	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:29.619714022 CET	57940	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:29.624545097 CET	3778	57940	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:29.624586105 CET	57940	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:29.629467964 CET	3778	57940	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.263737917 CET	3778	57940	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.263957024 CET	57940	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.263957024 CET	57940	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.264460087 CET	57942	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.269516945 CET	3778	57942	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.269566059 CET	57942	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.270193100 CET	57942	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.274947882 CET	3778	57942	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.275007010 CET	57942	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.279782057 CET	3778	57942	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.934887886 CET	3778	57942	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.934983969 CET	57942	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.934983969 CET	57942	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.935455084 CET	57944	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.940253019 CET	3778	57944	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.940304041 CET	57944	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.940880060 CET	57944	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.945702076 CET	3778	57944	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:30.945745945 CET	57944	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:30.950572014 CET	3778	57944	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:31.585346937 CET	3778	57944	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:31.585458040 CET	57944	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:31.585458040 CET	57944	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:31.585870028 CET	57946	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:31.590627909 CET	3778	57946	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:31.590672970 CET	57946	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:31.591203928 CET	57946	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:31.595942974 CET	3778	57946	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:31.595997095 CET	57946	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:31.600775957 CET	3778	57946	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.237565041 CET	3778	57946	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.237828970 CET	57946	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.237828970 CET	57946	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.238284111 CET	57948	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.243159056 CET	3778	57948	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.243201971 CET	57948	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.243851900 CET	57948	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.248657942 CET	3778	57948	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.248737097 CET	57948	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.253496885 CET	3778	57948	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.898811102 CET	3778	57948	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.898914099 CET	57948	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.898914099 CET	57948	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.899427891 CET	57950	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.904206038 CET	3778	57950	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.904258013 CET	57950	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.904900074 CET	57950	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.909672976 CET	3778	57950	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:32.909734011 CET	57950	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:32.914547920 CET	3778	57950	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:33.548768044 CET	3778	57950	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:33.548886061 CET	57950	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:33.548886061 CET	57950	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:33.549303055 CET	57952	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:33.554111004 CET	3778	57952	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:33.554192066 CET	57952	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:33.555005074 CET	57952	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:33.559834003 CET	3778	57952	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:33.559899092 CET	57952	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:33.564760923 CET	3778	57952	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.221301079 CET	3778	57952	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.221450090 CET	57952	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.221450090 CET	57952	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.221952915 CET	57954	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.226794004 CET	3778	57954	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.226850033 CET	57954	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.227490902 CET	57954	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.232270002 CET	3778	57954	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.232333899 CET	57954	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.237144947 CET	3778	57954	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.870270967 CET	3778	57954	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.870390892 CET	57954	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.870433092 CET	57954	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.870929956 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.875776052 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.875821114 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.876503944 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.881290913 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:34.881330013 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:34.886164904 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:44.886581898 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:26:44.891525030 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:45.082204103 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:26:45.082371950 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:27:45.126245975 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:27:45.131217003 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:27:45.322349072 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:27:45.322402954 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:28:45.366271019 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:28:45.371150970 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:28:45.561800003 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:28:45.561844110 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:29:45.611002922 CET	57956	3778	192.168.2.15	45.95.169.120
Jan 2, 2025 05:29:45.616008043 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:29:45.806545019 CET	3778	57956	45.95.169.120	192.168.2.15
Jan 2, 2025 05:29:45.806601048 CET	57956	3778	192.168.2.15	45.95.169.120

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 05:29:07.769159079 CET	47896	53	192.168.2.15	1.1.1.1
Jan 2, 2025 05:29:07.769207001 CET	33079	53	192.168.2.15	1.1.1.1
Jan 2, 2025 05:29:07.776133060 CET	53	33079	1.1.1.1	192.168.2.15
Jan 2, 2025 05:29:07.776624918 CET	53	47896	1.1.1.1	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 05:29:07.769159079 CET	192.168.2.15	1.1.1.1	0xad84	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 05:29:07.769207001 CET	192.168.2.15	1.1.1.1	0x2635	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 05:29:07.776624918 CET	1.1.1.1	192.168.2.15	0xad84	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false
Jan 2, 2025 05:29:07.776624918 CET	1.1.1.1	192.168.2.15	0xad84	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: wind.spc.elf PID: 5834, Parent PID: 5761

General

Start time (UTC):	04:26:19
Start date (UTC):	02/01/2025
Path:	/tmp/wind.spc.elf
Arguments:	/tmp/wind.spc.elf
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: wind.spc.elf PID: 5837, Parent PID: 5834

General

Start time (UTC):	04:26:19
Start date (UTC):	02/01/2025
Path:	/tmp/wind.spc.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: wind.spc.elf PID: 5839, Parent PID: 5834

General

Start time (UTC):	04:26:19
Start date (UTC):	02/01/2025
Path:	/tmp/wind.spc.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: wind.spc.elf PID: 5840, Parent PID: 5834

General

Start time (UTC):	04:26:19
Start date (UTC):	02/01/2025
Path:	/tmp/wind.spc.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Chronological Activities

Analysis Process: xfce4-panel PID: 5844, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5844, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5845, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5845, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5846, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5846, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5847, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5847, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5848, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5848, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Chronological Activities

Analysis Process: xfce4-panel PID: 5849, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/bin/xfce4-panel
Arguments:	-
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5849, Parent PID: 3235

General

Start time (UTC):	04:26:20
Start date (UTC):	02/01/2025
Path:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
Arguments:	/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
File size:	35136 bytes
MD5 hash:	ac0b8a906f359a8ae102244738682e76

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report wind.spc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: wind.spc.elf PID: 5834, Parent PID: 5761

General

Chronological Activities

Analysis Process: wind.spc.elf PID: 5837, Parent PID: 5834

General

Chronological Activities

Analysis Process: wind.spc.elf PID: 5839, Parent PID: 5834

General

Chronological Activities

Analysis Process: wind.spc.elf PID: 5840, Parent PID: 5834

General

Chronological Activities

Analysis Process: xfce4-panel PID: 5844, Parent PID: 3235

General

Chronological Activities

Analysis Process: wrapper-2.0 PID: 5844, Parent PID: 3235

General

Linux Analysis Report
wind.spc.elf