Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:	ppc.elf
Analysis ID:	1583610
MD5:	c237e589113a39d4ac96204ce33c5793
SHA1:	2277a76552975a02f69f0281a3c63520b83bfc42
SHA256:	d174a81ab6b3be9fbb71e392d12946327410d71a55fd7e974c0baf94502863cc
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583610
Start date and time:	2025-01-03 08:00:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	ppc.elf
Detection:	MAL
Classification:	mal48.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/ppc.elf
PID:	5489
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

ppc.elf (PID: 5489, Parent: 5414, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf

ppc.elf New Fork (PID: 5491, Parent: 5489)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ppc.elf	Virustotal: Detection: 15%			Perma Link
Source: ppc.elf	ReversingLabs: Detection: 15%

Source: global traffic

TCP traffic: 192.168.2.13:41500 -> 85.239.34.134:31337

Source: /tmp/ppc.elf (PID: 5489)

Socket: 0.0.0.0:3142

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal48.linELF@0/0@0/0

Source: /tmp/ppc.elf (PID: 5489)

Queries kernel information via 'uname':

Jump to behavior

Source: ppc.elf, 5489.1.0000561c83851000.0000561c83901000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: ppc.elf, 5489.1.00007ffc195bc000.00007ffc195dd000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 5489.1.0000561c83851000.0000561c83901000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 5489.1.00007ffc195bc000.00007ffc195dd000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ppc.elf	16%	Virustotal		Browse
ppc.elf	16%	ReversingLabs	Linux.Backdoor.Gafgyt

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.239.34.134	unknown	Russian Federation		134121	RAINBOW-HKRainbownetworklimitedHK	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
85.239.34.134	x86.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	spc.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RAINBOW-HKRainbownetworklimitedHK	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	mpsl.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	m68k.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm6.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	mips.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm5.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	spc.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	sh4.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.33156774508341
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	ppc.elf
File size:	25'752 bytes
MD5:	c237e589113a39d4ac96204ce33c5793
SHA1:	2277a76552975a02f69f0281a3c63520b83bfc42
SHA256:	d174a81ab6b3be9fbb71e392d12946327410d71a55fd7e974c0baf94502863cc
SHA512:	97f2a511fc9368b3857397802d24b55dae62ece8f7bf3c1bc7d0f8c42e82475ad8150804b50cce7a0383fdbeec54b4f86d9d0253a4b7bccfcfad39a0509d63e6
SSDEEP:	384:hQuEEmCRYT0yozfRGcTGCHq7q9NdhOYgnrRkR+:hQnKm0XcXI2q9N0dkR+
TLSH:	2BC21A4173290D57E6EB1AF02D3F27D563FBD99130B9A209796EAF0AC136A335081E4D
File Content Preview:	.ELF...........................4..b......4. ...(......................R...R...............`...`...`......./X..............`T..`T..`T................dt.Q.............................!..\|......$H...H.L....$8!. \|...N.. .!..\|.......?.........a...../...@..`= .

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x10000218
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	25112
Section Header Size:	40
Number of Section Headers:	16
Header String Table Index:	15

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x100000b4	0xb4	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000d8	0xd8	0x4d24	0x0	0x6	AX	4
.fini	PROGBITS	0x10004dfc	0x4dfc	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x10004e1c	0x4e1c	0x3e4	0x0	0x2	A	4
.eh_frame	PROGBITS	0x10006000	0x6000	0x54	0x0	0x3	WA	4
.tbss	NOBITS	0x10006054	0x6054	0x8	0x0	0x403	WAT	4
.ctors	PROGBITS	0x10006054	0x6054	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1000605c	0x605c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x10006064	0x6064	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x10006068	0x6068	0x108	0x0	0x3	WA	4
.got	PROGBITS	0x10006170	0x6170	0x10	0x4	0x7	WAX	4
.sdata	PROGBITS	0x10006180	0x6180	0x30	0x0	0x3	WA	4
.sbss	NOBITS	0x100061b0	0x61b0	0x4c	0x0	0x3	WA	4
.bss	NOBITS	0x100061fc	0x61b0	0x2d5c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x61b0	0x65	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0x5200	0x5200	6.0212	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x6000	0x10006000	0x10006000	0x1b0	0x2f58	2.3605	0x7	RWE	0x1000	.eh_frame .tbss .ctors .dtors .jcr .data .got .sdata .sbss .bss
TLS	0x6054	0x10006054	0x10006054	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 08:01:27.842669964 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:27.847544909 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:27.847594976 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:27.848829985 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:27.853648901 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:28.538968086 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:28.539378881 CET	41500	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:28.544195890 CET	31337	41500	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:34.541505098 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:34.546360016 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:34.546458960 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:34.546489000 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:34.551320076 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:35.241828918 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:35.242144108 CET	41502	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:35.247033119 CET	31337	41502	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:41.244333982 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:41.249324083 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:41.249418974 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:41.249489069 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:41.254231930 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:41.951065063 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:41.951363087 CET	41504	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:41.956235886 CET	31337	41504	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:46.953851938 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:46.958785057 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:46.958889961 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:46.958889961 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:46.963675976 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:47.650816917 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:47.651057959 CET	41506	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:47.655878067 CET	31337	41506	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:52.653044939 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:52.657942057 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:52.658015966 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:52.658030987 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:52.662781954 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:53.349689960 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:53.349966049 CET	41508	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:53.354818106 CET	31337	41508	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:58.351852894 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:58.356920958 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:58.357073069 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:58.357134104 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:58.361959934 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:59.063179970 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 08:01:59.063569069 CET	41510	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:01:59.068332911 CET	31337	41510	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:05.065346956 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:05.185944080 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:05.186152935 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:05.186181068 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:05.190978050 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:05.928709030 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:05.928899050 CET	41512	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:05.933653116 CET	31337	41512	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:12.930617094 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:12.935441971 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:12.935525894 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:12.935543060 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:12.940349102 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:13.635543108 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:13.635766029 CET	41514	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:13.640563011 CET	31337	41514	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:18.637896061 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:18.642760992 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:18.642827988 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:18.642874002 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:18.647655010 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:19.334889889 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:19.335066080 CET	41516	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:19.339896917 CET	31337	41516	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:27.337233067 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:27.342120886 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:27.342228889 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:27.342268944 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:27.347028017 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:28.044784069 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:28.045089006 CET	41518	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:28.049928904 CET	31337	41518	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:37.047746897 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:37.052644014 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:37.052716017 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:37.052778006 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:37.057533979 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:37.753156900 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:37.753355980 CET	41520	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:37.758207083 CET	31337	41520	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:42.755461931 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:42.760371923 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:42.760443926 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:42.760493040 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:42.765966892 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:43.452189922 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:43.452461004 CET	41522	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:43.457211018 CET	31337	41522	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:52.455065012 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:52.459944010 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:52.460073948 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:52.460127115 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:52.464876890 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:53.152004004 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:53.152457952 CET	41524	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:53.157272100 CET	31337	41524	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:58.154951096 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:58.159898996 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:58.159964085 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:58.160024881 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:58.164757013 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:58.855072021 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 08:02:58.855488062 CET	41526	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:02:58.860358953 CET	31337	41526	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:05.857418060 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:05.862368107 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:05.862457037 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:05.862504005 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:05.867316961 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:06.554003954 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:06.554223061 CET	41528	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:06.559021950 CET	31337	41528	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:13.556113958 CET	41530	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:13.561057091 CET	31337	41530	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:13.561130047 CET	41530	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:13.561161041 CET	41530	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:13.565974951 CET	31337	41530	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:14.262227058 CET	31337	41530	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:14.262402058 CET	41530	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:14.267194986 CET	31337	41530	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:23.264566898 CET	41532	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:23.269598007 CET	31337	41532	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:23.269704103 CET	41532	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:23.269736052 CET	41532	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:23.274456024 CET	31337	41532	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:23.995584011 CET	31337	41532	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:23.995826006 CET	41532	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:24.000665903 CET	31337	41532	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:32.997698069 CET	41534	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:33.002729893 CET	31337	41534	85.239.34.134	192.168.2.13
Jan 3, 2025 08:03:33.002808094 CET	41534	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:33.002836943 CET	41534	31337	192.168.2.13	85.239.34.134
Jan 3, 2025 08:03:33.007642984 CET	31337	41534	85.239.34.134	192.168.2.13

System Behavior

Analysis Process: ppc.elf PID: 5489, Parent PID: 5414

General

Start time (UTC):	07:01:26
Start date (UTC):	03/01/2025
Path:	/tmp/ppc.elf
Arguments:	/tmp/ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Chronological Activities

Analysis Process: ppc.elf PID: 5491, Parent PID: 5489

General

Start time (UTC):	07:01:26
Start date (UTC):	03/01/2025
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: ppc.elf PID: 5489, Parent PID: 5414

General

Chronological Activities

Analysis Process: ppc.elf PID: 5491, Parent PID: 5489

General

Chronological Activities

Linux Analysis Report
ppc.elf