Edit tour

Linux Analysis Report
m68k.elf

Overview

General Information

Sample name:	m68k.elf
Analysis ID:	1583607
MD5:	6933a0c350c3ffb666ab52dd7d11723f
SHA1:	2f3562bdb0318aca845f8d58366cdf571e8175e3
SHA256:	e281f68cb29ddaa918a627dfd49c903b25d7a3fd181a01d654e5025d3a9bd91f
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583607
Start date and time:	2025-01-03 07:56:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	m68k.elf
Detection:	MAL
Classification:	mal48.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/m68k.elf
PID:	5500
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

m68k.elf (PID: 5500, Parent: 5425, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/m68k.elf

m68k.elf New Fork (PID: 5502, Parent: 5500)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: m68k.elf	Virustotal: Detection: 16%			Perma Link
Source: m68k.elf	ReversingLabs: Detection: 18%

Source: global traffic

TCP traffic: 192.168.2.13:41500 -> 85.239.34.134:31337

Source: /tmp/m68k.elf (PID: 5500)

Socket: 0.0.0.0:3142

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Source: /tmp/m68k.elf (PID: 5500)

Queries kernel information via 'uname':

Jump to behavior

Source: m68k.elf, 5500.1.00007ffdf89ef000.00007ffdf8a10000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.elf, 5500.1.0000562ebdb29000.0000562ebdb8d000.rw-.sdmp	Binary or memory string: .V!/etc/qemu-binfmt/m68k
Source: m68k.elf, 5500.1.0000562ebdb29000.0000562ebdb8d000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: m68k.elf, 5500.1.00007ffdf89ef000.00007ffdf8a10000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
m68k.elf	16%	Virustotal		Browse
m68k.elf	18%	ReversingLabs	Linux.Backdoor.Gafgyt

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.239.34.134	unknown	Russian Federation		134121	RAINBOW-HKRainbownetworklimitedHK	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
85.239.34.134	mips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RAINBOW-HKRainbownetworklimitedHK	mips.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm5.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	spc.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	sh4.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	45.138.161.76
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	45.138.161.75
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	45.138.161.71
	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.061297345925239
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	m68k.elf
File size:	22'100 bytes
MD5:	6933a0c350c3ffb666ab52dd7d11723f
SHA1:	2f3562bdb0318aca845f8d58366cdf571e8175e3
SHA256:	e281f68cb29ddaa918a627dfd49c903b25d7a3fd181a01d654e5025d3a9bd91f
SHA512:	d1ddba12e4f67128fbfd6fee052f8609e0635563786ef2b124d7242c51732233e87976de22cad14b295ac13e0dee40f9ba9bd7472e6f3d252ef35c49b86ca247
SSDEEP:	384:Z98lLJQnacXaOasFBQD5IfAZKqmvPvww/tIrr29IQYcV8HA9EXSxd5:8jtIfAZKqmvTVR80tj5
TLSH:	6DA2F8D2F455FC7EF89AFB3ECC424715B2B4FA21885A1730633BB5ABDAB61840425D42
File Content Preview:	.ELF.......................D...4..Tt.....4. ...(......................R...R...............R...b...b.......).........dt.Q............................NV..a....da...N(N^NuNV..J9..d$f>"y..b. QJ.g.X.#...b.N."y..b. QJ.f.A.....J.g.Hy..b.N.X.......d$N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	21620
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x4e52	0x0	0x6	AX	4
.fini	PROGBITS	0x80004efa	0x4efa	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x80004f08	0x4f08	0x378	0x0	0x2	A	2
.eh_frame	PROGBITS	0x80006280	0x5280	0x4	0x0	0x3	WA	4
.ctors	PROGBITS	0x80006284	0x5284	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8000628c	0x528c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x80006294	0x5294	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x80006298	0x5298	0x18c	0x0	0x3	WA	4
.bss	NOBITS	0x80006424	0x5424	0x2840	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x5424	0x4d	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x5280	0x5280	6.1572	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x5280	0x80006280	0x80006280	0x1a4	0x29e4	1.7846	0x6	RW	0x1000	.eh_frame .ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 07:57:09.118252039 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:09.123178959 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:09.123229980 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:09.123559952 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:09.128385067 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:09.846028090 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:09.846652031 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:09.853406906 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:18.848844051 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:18.855169058 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:18.855254889 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:18.855278969 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:18.861581087 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:19.571378946 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:19.571584940 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:19.576499939 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:28.573472977 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:28.579086065 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:28.579173088 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:28.579233885 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:28.584001064 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:29.329552889 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:29.329919100 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:29.334728956 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:38.331727982 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:38.336659908 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:38.336711884 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:38.336744070 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:38.341517925 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:39.049498081 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:39.049704075 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:39.054543972 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:45.052071095 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:45.056967020 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:45.057022095 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:45.057080030 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:45.061897039 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:45.784359932 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:45.784626007 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:45.789462090 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:51.786403894 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:51.791248083 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:51.791332006 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:51.791351080 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:51.796204090 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:52.483376026 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:52.483587980 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:52.488395929 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:58.485104084 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:58.490060091 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:58.490150928 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:58.490164995 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:58.494941950 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:59.229854107 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 07:57:59.230010986 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:57:59.234941006 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:07.231817961 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:07.236690998 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:07.236783981 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:07.236799002 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:07.241681099 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:07.946993113 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:07.947227001 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:07.952059984 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:15.949361086 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:15.954178095 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:15.954242945 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:15.954315901 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:15.959117889 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:16.667485952 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:16.667900085 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:16.673628092 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:24.670268059 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:24.675103903 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:24.675196886 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:24.675231934 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:24.680027962 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:25.375931978 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:25.376549959 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:25.381481886 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:34.378679991 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:34.383670092 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:34.383745909 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:34.383775949 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:34.388547897 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:35.078547955 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:35.078811884 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:35.083604097 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:43.080764055 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:43.085578918 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:43.085663080 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:43.085684061 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:43.090483904 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:43.847476959 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:43.847673893 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:43.852489948 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:52.849637032 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:52.854464054 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:52.854552984 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:52.854574919 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:52.859370947 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:53.584563017 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:53.584695101 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:53.589478970 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:59.586499929 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:59.592031002 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 07:58:59.592097044 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:59.592174053 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:58:59.598057032 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 07:59:00.293159008 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 07:59:00.293543100 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:59:00.299463987 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 07:59:06.296473026 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:59:06.301270008 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 07:59:06.301348925 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:59:06.301394939 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:59:06.306133032 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 07:59:07.027666092 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 07:59:07.027971029 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 07:59:07.032830954 CET	31337	41528	85.239.34.134	192.168.2.13

System Behavior

Analysis Process: m68k.elf PID: 5500, Parent PID: 5425

General

Start time (UTC):	06:57:08
Start date (UTC):	03/01/2025
Path:	/tmp/m68k.elf
Arguments:	/tmp/m68k.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: m68k.elf PID: 5502, Parent PID: 5500

General

Start time (UTC):	06:57:08
Start date (UTC):	03/01/2025
Path:	/tmp/m68k.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report m68k.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: m68k.elf PID: 5500, Parent PID: 5425

General

Chronological Activities

Analysis Process: m68k.elf PID: 5502, Parent PID: 5500

General

Chronological Activities

Linux Analysis Report
m68k.elf