Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
g.elf

Overview

General Information

Sample name:g.elf
Analysis ID:1583726
MD5:b6cc75734e37475256f2f96207a4a6e0
SHA1:e27f901a35aee1be603caccb40e49c81f8e3145d
SHA256:7a2f1b7505c6e2942f1bbd1a48b35687822c5deb11563008db3217266e84d3d4
Tags:androidelfmalwareuser-Joker
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1583726
Start date and time:2025-01-03 13:09:24 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:g.elf
Detection:MAL
Classification:mal64.linELF@0/0@0/0

Runtime Messages

Command:/tmp/g.elf
PID:6226
Exit Code:2
Exit Code Info:
Killed:False
Standard Output:

Standard Error:fatal error: sigaction failed

runtime stack:
runtime.throw({0x941df6, 0x10})
/usr/lib/go-1.23/src/runtime/panic.go:1067 +0x48 fp=0x7ffffce4 sp=0x7ffffcd0 pc=0xada10
runtime.sysSigaction.func1()
/usr/lib/go-1.23/src/runtime/os_linux.go:535 +0x4c fp=0x7ffffcf0 sp=0x7ffffce4 pc=0xa2b04
runtime.sysSigaction(0x41, 0x7ffffd18, 0x0)
/usr/lib/go-1.23/src/runtime/os_linux.go:534 +0x7c fp=0x7ffffd08 sp=0x7ffffcf0 pc=0x59a34
runtime.sigaction(...)
/usr/lib/go-1.23/src/runtime/sigaction.go:15
runtime.setsig(0x41, 0x7eea8)
/usr/lib/go-1.23/src/runtime/os_linux.go:482 +0xbc fp=0x7ffffd34 sp=0x7ffffd08 pc=0x59900
runtime.initsig(0x0)
/usr/lib/go-1.23/src/runtime/signal_unix.go:148 +0x2c0 fp=0x7ffffd70 sp=0x7ffffd34 pc=0x7e1a4
runtime.mstartm0()
/usr/lib/go-1.23/src/runtime/proc.go:1858 +0x70 fp=0x7ffffd78 sp=0x7ffffd70 pc=0x6577c
runtime.mstart1()
/usr/lib/go-1.23/src/runtime/proc.go:1830 +0x94 fp=0x7ffffd88 sp=0x7ffffd78 pc=0x65674
runtime.mstart0()
/usr/lib/go-1.23/src/runtime/proc.go:1791 +0x7c fp=0x7ffffd9c sp=0x7ffffd88 pc=0x655c0
runtime.mstart()
/usr/lib/go-1.23/src/runtime/asm_mipsx.s:89 +0x14 fp=0x7ffffda0 sp=0x7ffffd9c pc=0xb4e10

goroutine 1 gp=0x1400128 m=nil [runnable]:
runtime.main()
/usr/lib/go-1.23/src/runtime/proc.go:147 fp=0x14407ec sp=0x14407ec pc=0x60984
runtime.goexit({})
/usr/lib/go-1.23/src/runtime/asm_mipsx.s:664 +0x4 fp=0x14407ec sp=0x14407ec pc=0xb7290

Process Tree

  • system is lnxubuntu20
  • g.elf (PID: 6226, Parent: 6142, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/g.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
g.elftool_gost_tunnel_stringsDetects GOST Go Tunnel, based on stringsSekoia.io
  • 0xb05e99:$: .(*shadowUDPHandler).transportUDP
  • 0xb05ed3:$: .(*shadowUDPHandler).transportUDP
  • 0xb05f13:$: .(*shadowUDPHandler).transportUDP
  • 0xb05f55:$: .(*shadowUDPHandler).transportUDP
  • 0xb05fa2:$: .(*shadowUDPHandler).transportUDP
  • 0xb05fe2:$: .(*shadowUDPHandler).transportUDP
  • 0xb01d50:$: .(*quicCipherConn).decrypt
  • 0xb07e60:$: .(*mtlsTransporter).Handshake
  • 0xb07e96:$: .(*mtlsTransporter).Handshake
  • 0xb07ed7:$: .(*mtlsTransporter).Handshake
  • 0xb033cf:$: .(*FIFOStrategy).Apply
  • 0x821105:$: .dnsTCPExchanger
  • 0xb0a6b8:$: .dnsTCPExchanger
  • 0x824c64:$: .dohResponseWriter
  • 0xb0a9c4:$: .dohResponseWriter
  • 0xb0b3dd:$: .dohResponseWriter
  • 0xb0b444:$: .dohResponseWriter
  • 0xb0b4a9:$: .dohResponseWriter
  • 0x82c67d:$: .tcpRemoteForwardListener
  • 0x863482:$: .tcpRemoteForwardListener
  • 0xb0a989:$: .tcpRemoteForwardListener

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: g.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: g.elfVirustotal: Detection: 12%Perma Link
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: g.elfString found in binary or memory: https://github.com/quic-go/quic-go/wiki/LoggingDisabling
Source: g.elfString found in binary or memory: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: g.elf, type: SAMPLEMatched rule: Detects GOST Go Tunnel, based on strings Author: Sekoia.io
Source: ELF static info symbol of initial sample.symtab present: no
Source: g.elf, type: SAMPLEMatched rule: tool_gost_tunnel_strings author = Sekoia.io, description = Detects GOST Go Tunnel, based on strings, creation_date = 2023-02-28, classification = TLP:CLEAR, version = 1.0, id = 2de7aae9-9cf8-4007-aa27-5caea4123713
Source: classification engineClassification label: mal64.linELF@0/0@0/0
Source: ELF file sectionSubmission: g.elf
Source: /tmp/g.elf (PID: 6226)Queries kernel information via 'uname': Jump to behavior
Source: g.elf, 6226.1.00005611372d8000.00005611375b3000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: g.elfBinary or memory string: max=scav ptr ] = (trap:init ms, r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 r16 r17 r18 r19 r20 r21 r22 r23 r24 r25 r26 r27 r28 r29 r30 r31 pc link lo hi fault and tab= top=[...], fp:blockmutexdebug1562578125MarchAprilmonthLocalSHA-1P-224P-256P-384P-521int16int32int64uint8sliceGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamil (at no IPdenyClassRetryfcntl%d %dQUERYED448OtherISPKIAFSDBCSYNCDHCIDDNAMEEUI48EUI64HINFOHTTPSMAILAMAILBMINFONAPTRNINFONSEC3RRSIGSSHFPUINFOCLASSdns: udp: (%s)errorobfs4localmuxershellioctlvsockutf-8%s*%dtext/Realmbad nM=%d %q:%qcountdelayspace%v:%v%v%s @ %vDot1QPPPoEEAPOLPFLogDot11SFlowVXLANpointcoviadnsixdixieidentepmaps-netmailqvmnetxdmcpunifyauditmumpsdbaseuarpsbhfhsmanetbhmdsvslmprtspstexarzservbh611nsrmpis99cis99smeta5netcpgeniedecaponmuxsmptedsfgwalpesss7nsavianxvttpsnareloginntalkutimeripngtimedtemponntpsmetersonarvemmiginadldapsrushdelcsdtbrpfnetgwrfileiscsirsyncnsstpafrogfpitpneod1neod2kioskjstelff-smobrpdrootdblazevchataliasrsf-1dmidiipcd3kazaahuskyrxmonewallqubesre101sbookftsrvmimergv-usus-gvmollybytexsaismoc-lmpipes3l-l1msimsradiosg-lmcvmoncnhrpcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7femishellommpftetftpswrmileoipspicexmapixaapislushglobetroffrimslshilpmsyncdsatpqencplv-jcbraineyetvqwavevmrdpgtauatvbusasdisdrwcshpssdhpiodemwinnetiqmikeymmcalnetmleapsprdlapsnappdbrefhydraswarmrsmtporionvenusovwdbtsilbspockwillywindbipasssnapdbrucesolvesonuswkarsqotpsalarmuadtcaurisaisesrmlnkpdnetradixrebolqsoftccmadicpv2grubdimprsncu-1ncu-2unite4talkplatoe-netmysqlssripbbarscsms2svnetrnmapxtrmstwcssosdcppacomprsvpjt400nppmpecommtwrpcaztecarcpdmc3ssms-lacamacssmpprazorpresssmiletftpsxsynce-mdue-woam-wnnpwdiszicomwsmlbapocdnetehsscansenipnimshagcatapdapadrepppsmsiconpsmwanbv-isbv-dssuucpcppdptripeiRAPPewdgsxtguiaccelg2tagxgridtigv2starsthrtxoidsragslbaltcpjoostpcoipwellohttpxsieveazetiitoseslsccfoundupdogsarissf-lmmsfrslightacterspikeipfixsicctspocpsimonquosawiredlutaplutcpbonesmuninwinfstexaicsrpcvtsasayiyaaol-1aol-2aol-3nomad3exmpperfdeenetstunsllmnrmcntpsdmmpa1-bsninafbeorlflcrsamqpsncxcpomsdkicmpdcpdlcads-cwsmannuxslcvsupssdtpqmtpssflowredissvdrpmcftpovsdbosautacnetgraspvmsvcfodmsxmpv7neo4jovbusacpltsimcovstatq3adeirdmid-s-nitachiminkgolemswa-1swa-2swa-3swa-4glrpcwebsmgrcmpinsisvracerobixxmms2sapv1odnsprxapifamdcswdtpcosirhelixirisaweavedicomsmsqpcawashivepitalkbpdbmvnetdnomdbbmdssicppshydap3linkfmsasetb4jsgcipiclidgv-pfigridtrackbinkpquakescscpnxlmdndmpsovobsxqosdkitimsruthcandpasmpsinedowinrmnusrpngr-taboutxribsnacnlvxlankdnetcoapsbabels-bfdaesopghvpn2pingalfindomiqnfapisgsapsbcapslmapnq-apReplyOffer(end)RenewIA_NAIA_TAS46BRQuery%s=%xQuietU-PID%.1f AbortPrismE.163HelloNoiseOFDM,Ghz2,Ghz5,GFSK,FRAG,NoACKStateH.248H.323SIMCOPRACKREFERCCNewAlertFatalERROR0-RTT1-RTTsetnsFlushWriteSuperAnyOfsuperundefmatchrune 2.12.0mipslesecurecipherbypassprefer0x%04XX25519%w%.0wtls13 , not objectnumberstring\ufffdStringFormat[]bytenetdnsdomaingophertelne
Source: g.elf, 6226.1.00005611372d8000.00005611375b3000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/mipsel
Source: g.elfBinary or memory string: ClassRetryfcntl%d %dQUERYED448OtherISPKIAFSDBCSYNCDHCIDDNAMEEUI48EUI64HINFOHTTPSMAILAMAILBMINFONAPTRNINFONSEC3RRSIGSSHFPUINFOCLASSdns: udp: (%s)errorobfs4localmuxershellioctlvsockutf-8%s*%dtext/Realmbad nM=%d %q:%qcountdelayspace%v:%v%v%s @ %vDot1QPPPoEEAPOLPFLogDot11SFlowVXLANpointcoviadnsixdixieidentepmaps-netmailqvmnetxdmcpunifyauditmumpsdbaseuarpsbhfhsmanetbhmdsvslmprtspstexarzservbh611nsrmpis99cis99smeta5netcpgeniedecaponmuxsmptedsfgwalpesss7nsavianxvttpsnareloginntalkutimeripngtimedtemponntpsmetersonarvemmiginadldapsrushdelcsdtbrpfnetgwrfileiscsirsyncnsstpafrogfpitpneod1neod2kioskjstelff-smobrpdrootdblazevchataliasrsf-1dmidiipcd3kazaahuskyrxmonewallqubesre101sbookftsrvmimergv-usus-gvmollybytexsaismoc-lmpipes3l-l1msimsradiosg-lmcvmoncnhrpcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7femishellommpftetftpswrmileoipspicexmapixaapislushglobetroffrimslshilpmsyncdsatpqencplv-jcbraineyetvqwavevmrdpgtauatvbusasdisdrwcshpssdhpiodemwinnetiqmikeymmcalnetmleapsprdlapsnappdbrefhydraswarmrsmtporionvenusovwdbtsilbspockwillywindbipasssnapdbrucesolvesonuswkarsqotpsalarmuadtcaurisaisesrmlnkpdnetradixrebolqsoftccmadicpv2grubdimprsncu-1ncu-2unite4talkplatoe-netmysqlssripbbarscsms2svnetrnmapxtrmstwcssosdcppacomprsvpjt400nppmpecommtwrpcaztecarcpdmc3ssms-lacamacssmpprazorpresssmiletftpsxsynce-mdue-woam-wnnpwdiszicomwsmlbapocdnetehsscansenipnimshagcatapdapadrepppsmsiconpsmwanbv-isbv-dssuucpcppdptripeiRAPPewdgsxtguiaccelg2tagxgridtigv2starsthrtxoidsragslbaltcpjoostpcoipwellohttpxsieveazetiitoseslsccfoundupdogsarissf-lmmsfrslightacterspikeipfixsicctspocpsimonquosawiredlutaplutcpbonesmuninwinfstexaicsrpcvtsasayiyaaol-1aol-2aol-3nomad3exmpperfdeenetstunsllmnrmcntpsdmmpa1-bsninafbeorlflcrsamqpsncxcpomsdkicmpdcpdlcads-cwsmannuxslcvsupssdtpqmtpssflowredissvdrpmcftpovsdbosautacnetgraspvmsvcfodmsxmpv7neo4jovbusacpltsimcovstatq3adeirdmid-s-nitachiminkgolemswa-1swa-2swa-3swa-4glrpcwebsmgrcmpinsisvracerobixxmms2sapv1odnsprxapifamdcswdtpcosirhelixirisaweavedicomsmsqpcawashivepitalkbpdbmvnetdnomdbbmdssicppshydap3linkfmsasetb4jsgcipiclidgv-pfigridtrackbinkpquakescscpnxlmdndmpsovobsxqosdkitimsruthcandpasmpsinedowinrmnusrpngr-taboutxribsnacnlvxlankdnetcoapsbabels-bfdaesopghvpn2pingalfindomiqnfapisgsapsbcapslmapnq-apReplyOffer(end)RenewIA_NAIA_TAS46BRQuery%s=%xQuietU-PID%.1f AbortPrismE.163HelloNoiseOFDM,Ghz2,Ghz5,GFSK,FRAG,NoACKStateH.248H.323SIMCOPRACKREFERCCNewAlertFatalERROR0-RTT1-RTTsetnsFlushWriteSuperAnyOfsuperundefmatchrune 2.12.0mipslesecurecipherbypassprefer0x%04XX25519%w%.0wtls13 , not objectnumberstring\ufffdStringFormat[]bytenetdnsdomaingophertelnetlisten.onionndots:sendtoip+netsocketspliceacceptwritevreadatTMPDIRremovewaitidkcp-goHOPOPTServerclosed[rtcp]Basic InErrsInPktsInSegssocks5Date: http/3randomHost: tuntap%s: %v
Source: g.elf, 6226.1.00007ffdccd4a000.00007ffdccd6b000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/g.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/g.elf
Source: g.elf, 6226.1.00007ffdccd4a000.00007ffdccd6b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
g.elf13%VirustotalBrowse
g.elf11%ReversingLabsLinux.Hacktool.Gost
g.elf100%AviraPUA/GM.PuAgent.CX

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/quic-go/quic-go/wiki/LoggingDisablingg.elffalse
    		high
    https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizesg.elffalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      109.202.202.202
      		unknownSwitzerland
      		13030INIT7CHfalse
      91.189.91.43
      		unknownUnited Kingdom
      		41231CANONICAL-ASGBfalse
      91.189.91.42
      		unknownUnited Kingdom
      		41231CANONICAL-ASGBfalse

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
      • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
      91.189.91.43aarch643308.elfGet hashmaliciousUnknownBrowse
        ARMV7L.elfGet hashmaliciousUnknownBrowse
          bash.elfGet hashmaliciousUnknownBrowse
            ARMV5L.elfGet hashmaliciousUnknownBrowse
              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                cedhatGet hashmaliciousKaijiBrowse
                  arc.elfGet hashmaliciousUnknownBrowse
                    m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                      mips.elfGet hashmaliciousMiraiBrowse
                        sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                          91.189.91.42aarch643308.elfGet hashmaliciousUnknownBrowse
                            ARMV7L.elfGet hashmaliciousUnknownBrowse
                              bash.elfGet hashmaliciousUnknownBrowse
                                ARMV5L.elfGet hashmaliciousUnknownBrowse
                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                    cedhatGet hashmaliciousKaijiBrowse
                                      arc.elfGet hashmaliciousUnknownBrowse
                                        m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          mips.elfGet hashmaliciousMiraiBrowse
                                            sparc.elfGet hashmaliciousGafgyt, MiraiBrowse

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CANONICAL-ASGBaarch643308.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              ARMV7L.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              bash.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              ARMV5L.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              cedhatGet hashmaliciousKaijiBrowse
                                              • 91.189.91.42
                                              arc.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              i586.elfGet hashmaliciousMiraiBrowse
                                              • 185.125.190.26
                                              m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 91.189.91.42
                                              spc.elfGet hashmaliciousUnknownBrowse
                                              • 185.125.190.26
                                              CANONICAL-ASGBaarch643308.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              ARMV7L.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              bash.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              ARMV5L.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 91.189.91.42
                                              cedhatGet hashmaliciousKaijiBrowse
                                              • 91.189.91.42
                                              arc.elfGet hashmaliciousUnknownBrowse
                                              • 91.189.91.42
                                              i586.elfGet hashmaliciousMiraiBrowse
                                              • 185.125.190.26
                                              m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 91.189.91.42
                                              spc.elfGet hashmaliciousUnknownBrowse
                                              • 185.125.190.26
                                              INIT7CHaarch643308.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              ARMV7L.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              bash.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              ARMV5L.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202
                                              cedhatGet hashmaliciousKaijiBrowse
                                              • 109.202.202.202
                                              arc.elfGet hashmaliciousUnknownBrowse
                                              • 109.202.202.202
                                              m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 109.202.202.202
                                              mips.elfGet hashmaliciousMiraiBrowse
                                              • 109.202.202.202
                                              sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              • 109.202.202.202

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              No created / dropped files found

                                              Static File Info

                                              General

                                              File type:ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), statically linked, Go BuildID=Fwme_MLpYTEC_5bOJ9Ay/kIQoc1kXkeJfNHDKmF-u/h4gSjH3-WTP6jq_eud8c/EfjVU4ej8Q_77O6cCK6h, stripped
                                              Entropy (8bit):5.596303623505228
                                              TrID:
                                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                              File name:g.elf
                                              File size:14'942'391 bytes
                                              MD5:b6cc75734e37475256f2f96207a4a6e0
                                              SHA1:e27f901a35aee1be603caccb40e49c81f8e3145d
                                              SHA256:7a2f1b7505c6e2942f1bbd1a48b35687822c5deb11563008db3217266e84d3d4
                                              SHA512:22e5a0860ad0ddb38589add979b70f97a94191a022ef0e55ef90e07dc5b03c1306d3d6f24a0cd5e5996e790f3d74ac9c6b9ff09f1c04431a4b7972b4f0acf62e
                                              SSDEEP:49152:jJ8iwXL4XFqG5kJ9LxSJI9+q5kFrXYL9T6jAXynQ5vS8cyXpqDssG8I08XXI8Vpi:iwgynQP+OqJll
                                              TLSH:A0E6E705EC852BF6C42C4F7490EAC95522706E144AF14A7A22A1FFDCBC7A2797F4789C
                                              File Content Preview:.ELF.....................z..4..........P4. ...(.........4...4...4...................................d...d...........................................................@.\.@.\.........................@K..`nR.........Q.td...............................p.......

                                              Static ELF Info

                                              ELF header

                                              Class:ELF32
                                              Data:2's complement, little endian
                                              Version:1 (current)
                                              Machine:MIPS R3000
                                              Version Number:0x1
                                              Type:EXEC (Executable file)
                                              OS/ABI:UNIX - System V
                                              ABI Version:0
                                              Entry Point Address:0xb7a04
                                              Flags:0x50001004
                                              ELF Header Size:52
                                              Program Header Offset:52
                                              Program Header Size:32
                                              Number of Program Headers:7
                                              Section Header Offset:276
                                              Section Header Size:40
                                              Number of Section Headers:16
                                              Header String Table Index:14

                                              Sections

                                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                              NULL0x00x00x00x00x0000
                                              .textPROGBITS0x110000x10000x7ef3e80x00x6AX004
                                              .rodataPROGBITS0x8100000x8000000x248a8c0x00x2A0032
                                              .gnu.attributesGNU_ATTRIBUTES0x00xa48a900x100x00x0001
                                              .typelinkPROGBITS0xa58aa00xa48aa00x45dc0x00x2A0032
                                              .itablinkPROGBITS0xa5d0800xa4d0800x12400x00x2A0032
                                              .gosymtabPROGBITS0xa5e2c00xa4e2c00x00x00x2A001
                                              .gopclntabPROGBITS0xa5e2c00xa4e2c00x37be800x00x2A0032
                                              .go.buildinfoPROGBITS0xde00000xdd00000x11d00x00x3WA0016
                                              .noptrdataPROGBITS0xde11e00xdd11e00x54be00x00x3WA0032
                                              .dataPROGBITS0xe35dc00xe25dc00xed700x00x3WA0032
                                              .bssNOBITS0xe44b400xe34b400x328cc00x00x3WA0032
                                              .noptrbssNOBITS0x116d8000x115d8000x1996600x00x3WA0032
                                              .note.go.buildidNOTE0x10f9c0xf9c0x640x00x2A004
                                              .shstrtabSTRTAB0x00xe400000xb70x00x0001
                                              .MIPS.abiflagsMIPS_ABIFLAGS0x10f840xf840x180x00x2A008

                                              Program Segments

                                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                              PHDR0x340x100340x100340xe00xe02.46800x4R 0x10000
                                              NOTE0xf9c0x10f9c0x10f9c0x640x645.38350x4R 0x4.note.go.buildid
                                              LOAD0x00x100000x100000x7f03e80x7f03e85.10650x5R E0x10000.text .note.go.buildid .MIPS.abiflags
                                              LOAD0x8000000x8100000x8100000x5ca1400x5ca1405.73150x4R 0x10000.rodata .typelink .itablink .gosymtab .gopclntab
                                              LOAD0xdd00000xde00000xde00000x64b400x526e606.15490x6RW 0x10000.go.buildinfo .noptrdata .data .bss .noptrbss
                                              GNU_STACK0x00x00x00x00x00.00000x6RW 0x4
                                              ABIFLAGS0xf840x10f840x10f840x180x181.02390x4R 0x8.MIPS.abiflags

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 3, 2025 13:10:09.252497911 CET43928443192.168.2.2391.189.91.42
                                              Jan 3, 2025 13:10:14.883776903 CET42836443192.168.2.2391.189.91.43
                                              Jan 3, 2025 13:10:16.419598103 CET4251680192.168.2.23109.202.202.202
                                              Jan 3, 2025 13:10:30.753643036 CET43928443192.168.2.2391.189.91.42
                                              Jan 3, 2025 13:10:40.992419004 CET42836443192.168.2.2391.189.91.43
                                              Jan 3, 2025 13:10:47.135421038 CET4251680192.168.2.23109.202.202.202
                                              Jan 3, 2025 13:11:11.707931042 CET43928443192.168.2.2391.189.91.42

                                              System Behavior

                                              General

                                              Start time (UTC):12:10:08
                                              Start date (UTC):03/01/2025
                                              Path:/tmp/g.elf
                                              Arguments:/tmp/g.elf
                                              File size:5773336 bytes
                                              MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                                              Chronological Activities