Edit tour

Linux Analysis Report
Space.mips.elf

Overview

General Information

Sample name:	Space.mips.elf
Analysis ID:	1584407
MD5:	44de196fc2d897cbd6e3961dfdfd9fea
SHA1:	499a4302954bbd41c2d9a5490d4432486b3e8751
SHA256:	25bf583d02fe7f11f58f4b18acc7bb0acbedf82330635c8c2c8dbfafaf4129ff
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584407
Start date and time:	2025-01-05 13:42:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.mips.elf
Detection:	MAL
Classification:	mal60.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.mips.elf
PID:	5443
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.mips.elf (PID: 5443, Parent: 5368, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/Space.mips.elf

Space.mips.elf New Fork (PID: 5445, Parent: 5443)

Space.mips.elf New Fork (PID: 5447, Parent: 5445)

Space.mips.elf New Fork (PID: 5449, Parent: 5445)

Space.mips.elf New Fork (PID: 5457, Parent: 5443)

Space.mips.elf New Fork (PID: 5459, Parent: 5443)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5443.1.00007f5818400000.00007f581842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2940c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29420:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29434:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29448:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2945c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29470:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29484:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29498:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29510:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29524:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29538:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2954c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29560:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29574:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2959c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5447.1.00007f5818400000.00007f581842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2940c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29420:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29434:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29448:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2945c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29470:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29484:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29498:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29510:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29524:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29538:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2954c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29560:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29574:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2959c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5457.1.00007f5818400000.00007f581842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2940c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29420:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29434:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29448:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2945c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29470:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29484:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29498:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29510:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29524:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29538:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2954c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29560:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29574:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2959c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5445.1.00007f5818400000.00007f581842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x2940c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29420:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29434:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29448:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2945c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29470:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29484:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29498:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x294fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29510:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29524:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29538:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2954c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29560:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29574:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2959c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5443	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x39dd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39f1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a05:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a19:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a2d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a41:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a55:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a69:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a7d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a91:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3aa5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ab9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3acd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ae1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3af5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b09:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b1d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b31:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b45:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b59:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3b6d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5445	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x74a6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x750a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x751e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7532:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7546:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x755a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x756e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7582:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7596:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x75aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x75be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x75d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x75e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x75fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x760e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7622:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7636:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5447	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x7373:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7387:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x739b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x73af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x73c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x73d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x73eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x73ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7413:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7427:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x743b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x744f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7463:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7477:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x748b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x749f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x74ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7503:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5457	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xb517:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb52b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb53f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb553:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb567:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb57b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb58f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb5a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb5b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb5cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb5df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb5f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb607:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb61b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb62f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb643:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb657:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb66b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb67f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb693:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xb6a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Space.mips.elf	Virustotal: Detection: 34%			Perma Link
Source: Space.mips.elf	ReversingLabs: Detection: 36%

Source: global traffic

TCP traffic: 192.168.2.13:46076 -> 79.133.46.252:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252
Source: unknown	TCP traffic detected without corresponding DNS query: 79.133.46.252

Source: Space.mips.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5443.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5447.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5457.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5445.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5443, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5445, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5447, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5457, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5443.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5447.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5457.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5445.1.00007f5818400000.00007f581842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5443, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5445, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5447, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5457, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/238/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/239/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/5390/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/240/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/3095/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/241/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/242/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/244/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/245/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/247/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1906/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/3648/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/5285/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/3420/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1482/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1480/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/371/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1238/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/134/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/3413/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/3776/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5443)	File opened: /proc/936/status	Jump to behavior

Source: Space.mips.elf

Submission file: segment LOAD with 7.9451 entropy (max. 8.0)

Source: /tmp/Space.mips.elf (PID: 5443)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.mips.elf, 5443.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp, Space.mips.elf, 5445.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp, Space.mips.elf, 5447.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp, Space.mips.elf, 5457.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp	Binary or memory string: Zl@x86_64/usr/bin/qemu-mips/tmp/Space.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.mips.elf
Source: Space.mips.elf, 5443.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp, Space.mips.elf, 5445.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp, Space.mips.elf, 5447.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp, Space.mips.elf, 5457.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: Space.mips.elf, 5443.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp, Space.mips.elf, 5445.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp, Space.mips.elf, 5447.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp, Space.mips.elf, 5457.1.000055df2cf1b000.000055df2cfc3000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: Space.mips.elf, 5443.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp, Space.mips.elf, 5445.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp, Space.mips.elf, 5447.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp, Space.mips.elf, 5457.1.00007ffe5fe87000.00007ffe5fea8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.mips.elf	35%	Virustotal		Browse
Space.mips.elf	37%	ReversingLabs	Linux.Trojan.Gafgyt

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.mips.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.133.46.252	unknown	Germany		203833	AT-FIRSTCOLOAustriaAT	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
79.133.46.252	Space.mpsl.elf	Get hash	malicious	Unknown	Browse	/hiddenbin/Space.mpsl
	Space.x86.elf	Get hash	malicious	Unknown	Browse	/hiddenbin/Space.x86
	Space.mips.elf	Get hash	malicious	Unknown	Browse	/hiddenbin/Space.mips
	Space.arm7.elf	Get hash	malicious	Unknown	Browse	/hiddenbin/Space.arm7
	Space.arm6.elf	Get hash	malicious	Unknown	Browse	/hiddenbin/Space.arm6

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AT-FIRSTCOLOAustriaAT	Space.m68k.elf	Get hash	malicious	Mirai	Browse	79.133.46.252
	Space.ppc.elf	Get hash	malicious	Unknown	Browse	79.133.46.252
	Space.x86.elf	Get hash	malicious	Unknown	Browse	79.133.46.252
	Space.x86_64.elf	Get hash	malicious	Unknown	Browse	79.133.46.252
	Space.arm6.elf	Get hash	malicious	Unknown	Browse	79.133.46.252
	Space.sh4.elf	Get hash	malicious	Unknown	Browse	79.133.46.252
	Space.x86.elf	Get hash	malicious	Mirai	Browse	79.133.46.252
	Space.arm.elf	Get hash	malicious	Mirai	Browse	79.133.46.252
	Space.ppc.elf	Get hash	malicious	Mirai	Browse	79.133.46.252
	Space.ppc.elf	Get hash	malicious	Mirai	Browse	79.133.46.252

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.942995259694459
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Space.mips.elf
File size:	44'520 bytes
MD5:	44de196fc2d897cbd6e3961dfdfd9fea
SHA1:	499a4302954bbd41c2d9a5490d4432486b3e8751
SHA256:	25bf583d02fe7f11f58f4b18acc7bb0acbedf82330635c8c2c8dbfafaf4129ff
SHA512:	2d8454ad3f897e0b388ac2b4167cda9445e1acfc779228d855327e49a7ca4402ec86a7add15b8ed7e3c9ed16a7a459a6306add5c27c5764d0c33cd283a9823c8
SSDEEP:	768:P1b0VM3k+GWgdUmAIFX2VRkV+8BM3Wzfh6ugZe8V3JApJgGlzDpbuR1JV:P1b063kQqAm2UkGzMVtVSVJu/
TLSH:	C113F27C01294E9FEAE9D3F8057C878A3D94036169828D16B48CECF7558A6B17973FC4
File Content Preview:	.ELF...........................4.........4. ...(.............................................C...C......................UPX!.h.....................V.......?.E.h4...@b..) ..]....E..."B...^...l..!.D....U+o1..G..Hh.p......d..3..../^O..6.v....................

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x109980
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xacc4	0xacc4	7.9451	0x5	R E	0x10000
LOAD	0xcffc	0x43cffc	0x43cffc	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 5, 2025 13:42:55.545901060 CET	46076	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:42:55.550869942 CET	3778	46076	79.133.46.252	192.168.2.13
Jan 5, 2025 13:42:55.550921917 CET	46076	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:42:55.600797892 CET	46076	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:42:55.605653048 CET	3778	46076	79.133.46.252	192.168.2.13
Jan 5, 2025 13:42:55.605706930 CET	46076	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:42:55.610538960 CET	3778	46076	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:01.335690975 CET	46078	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:01.340631008 CET	3778	46078	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:01.340725899 CET	46078	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:01.354881048 CET	46078	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:01.359658003 CET	3778	46078	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:01.359702110 CET	46078	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:01.364538908 CET	3778	46078	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:05.611551046 CET	46076	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:05.616379023 CET	3778	46076	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:11.361090899 CET	46078	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:11.365931988 CET	3778	46078	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:16.937302113 CET	3778	46076	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:16.937731981 CET	46076	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:16.942589998 CET	3778	46076	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:17.941612005 CET	46080	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:17.946474075 CET	3778	46080	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:17.946544886 CET	46080	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:17.947444916 CET	46080	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:17.952239037 CET	3778	46080	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:17.952280045 CET	46080	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:17.956988096 CET	3778	46080	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:22.720477104 CET	3778	46078	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:22.721580029 CET	46078	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:22.726342916 CET	3778	46078	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:23.723588943 CET	46082	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:23.728445053 CET	3778	46082	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:23.728512049 CET	46082	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:23.729110003 CET	46082	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:23.733839035 CET	3778	46082	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:23.733887911 CET	46082	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:23.738742113 CET	3778	46082	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:39.330493927 CET	3778	46080	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:39.330995083 CET	46080	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:39.335800886 CET	3778	46080	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:40.333923101 CET	46084	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:40.338788033 CET	3778	46084	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:40.338901043 CET	46084	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:40.340228081 CET	46084	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:40.345026016 CET	3778	46084	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:40.345112085 CET	46084	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:40.349946976 CET	3778	46084	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:45.141501904 CET	3778	46082	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:45.141850948 CET	46082	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:45.146882057 CET	3778	46082	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:46.143975019 CET	46086	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:46.148825884 CET	3778	46086	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:46.148921967 CET	46086	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:46.149960995 CET	46086	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:46.154690027 CET	3778	46086	79.133.46.252	192.168.2.13
Jan 5, 2025 13:43:46.154763937 CET	46086	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:43:46.159589052 CET	3778	46086	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:01.703959942 CET	3778	46084	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:01.704221964 CET	46084	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:01.709044933 CET	3778	46084	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:02.706368923 CET	46088	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:02.711296082 CET	3778	46088	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:02.711360931 CET	46088	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:02.712219000 CET	46088	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:02.716989040 CET	3778	46088	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:02.717041016 CET	46088	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:02.721822977 CET	3778	46088	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:07.499203920 CET	3778	46086	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:07.499557972 CET	46086	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:07.504411936 CET	3778	46086	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:08.501533031 CET	46090	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:08.506510019 CET	3778	46090	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:08.506572962 CET	46090	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:08.507586956 CET	46090	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:08.512356043 CET	3778	46090	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:08.512408018 CET	46090	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:08.517249107 CET	3778	46090	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:12.722652912 CET	46088	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:12.727504969 CET	3778	46088	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:18.518093109 CET	46090	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:18.523469925 CET	3778	46090	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:24.130347967 CET	3778	46088	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:24.130647898 CET	46088	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:24.136363983 CET	3778	46088	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:25.133207083 CET	46092	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:25.138196945 CET	3778	46092	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:25.138273001 CET	46092	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:25.139516115 CET	46092	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:25.144349098 CET	3778	46092	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:25.144426107 CET	46092	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:25.149192095 CET	3778	46092	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:29.907756090 CET	3778	46090	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:29.908055067 CET	46090	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:29.914333105 CET	3778	46090	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:30.909815073 CET	46094	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:30.914680004 CET	3778	46094	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:30.914746046 CET	46094	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:30.915334940 CET	46094	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:30.920133114 CET	3778	46094	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:30.920186043 CET	46094	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:30.925017118 CET	3778	46094	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:46.516628027 CET	3778	46092	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:46.516879082 CET	46092	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:46.522017002 CET	3778	46092	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:47.518812895 CET	46096	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:47.525262117 CET	3778	46096	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:47.525350094 CET	46096	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:47.526467085 CET	46096	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:47.531203032 CET	3778	46096	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:47.531264067 CET	46096	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:47.536102057 CET	3778	46096	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:52.282488108 CET	3778	46094	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:52.282650948 CET	46094	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:52.287448883 CET	3778	46094	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:53.284243107 CET	46098	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:53.289231062 CET	3778	46098	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:53.289302111 CET	46098	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:53.289891005 CET	46098	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:53.294687033 CET	3778	46098	79.133.46.252	192.168.2.13
Jan 5, 2025 13:44:53.294749975 CET	46098	3778	192.168.2.13	79.133.46.252
Jan 5, 2025 13:44:53.299530983 CET	3778	46098	79.133.46.252	192.168.2.13

System Behavior

Analysis Process: Space.mips.elf PID: 5443, Parent PID: 5368

General

Start time (UTC):	12:42:54
Start date (UTC):	05/01/2025
Path:	/tmp/Space.mips.elf
Arguments:	/tmp/Space.mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5445, Parent PID: 5443

General

Start time (UTC):	12:42:54
Start date (UTC):	05/01/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5447, Parent PID: 5445

General

Start time (UTC):	12:42:54
Start date (UTC):	05/01/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5449, Parent PID: 5445

General

Start time (UTC):	12:42:54
Start date (UTC):	05/01/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5457, Parent PID: 5443

General

Start time (UTC):	12:43:00
Start date (UTC):	05/01/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5459, Parent PID: 5443

General

Start time (UTC):	12:43:00
Start date (UTC):	05/01/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.mips.elf PID: 5443, Parent PID: 5368

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5445, Parent PID: 5443

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5447, Parent PID: 5445

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5449, Parent PID: 5445

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5457, Parent PID: 5443

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5459, Parent PID: 5443

General

Chronological Activities

Linux Analysis Report
Space.mips.elf