Edit tour

Linux Analysis Report
mips.elf

Overview

General Information

Sample name:	mips.elf
Analysis ID:	1588724
MD5:	c53e038457ee218f315120be3489cae9
SHA1:	976012615c17ad70ce109901891850968c77fb0d
SHA256:	769d08e769b7b87b75a05b81417754daf74f19dbce2292e4c9906f16c1e744fa
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588724
Start date and time:	2025-01-11 04:41:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mips.elf
Detection:	MAL
Classification:	mal56.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/mips.elf
PID:	5443
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	wormbot
Standard Error:

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5411, Parent: 3578)

rm (PID: 5411, Parent: 3578, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.zyqSxPi4y6 /tmp/tmp.Ugs7kCUs5l /tmp/tmp.0AzLUvd8vZ

dash New Fork (PID: 5412, Parent: 3578)

rm (PID: 5412, Parent: 3578, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.zyqSxPi4y6 /tmp/tmp.Ugs7kCUs5l /tmp/tmp.0AzLUvd8vZ

mips.elf (PID: 5443, Parent: 5344, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mips.elf

mips.elf New Fork (PID: 5445, Parent: 5443)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mips.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xfcfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5443.1.00007fa884400000.00007fa884411000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xfcfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfdec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfe8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: mips.elf PID: 5443	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x44c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x49c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x500:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mips.elf	ReversingLabs: Detection: 26%
Source: mips.elf	Virustotal: Detection: 26%			Perma Link

Source: global traffic

TCP traffic: 192.168.2.13:45926 -> 85.239.34.134:999

Source: /tmp/mips.elf (PID: 5443)

Socket: 127.0.0.1:7567

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.239.34.134

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: mips.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5443.1.00007fa884400000.00007fa884411000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: mips.elf PID: 5443, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: mips.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5443.1.00007fa884400000.00007fa884411000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: mips.elf PID: 5443, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal56.linELF@0/0@0/0

Source: /usr/bin/dash (PID: 5411)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.zyqSxPi4y6 /tmp/tmp.Ugs7kCUs5l /tmp/tmp.0AzLUvd8vZ			Jump to behavior
Source: /usr/bin/dash (PID: 5412)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.zyqSxPi4y6 /tmp/tmp.Ugs7kCUs5l /tmp/tmp.0AzLUvd8vZ			Jump to behavior

Source: /tmp/mips.elf (PID: 5443)

Queries kernel information via 'uname':

Jump to behavior

Source: mips.elf, 5443.1.00007fffcb73c000.00007fffcb75d000.rw-.sdmp	Binary or memory string: m8x86_64/usr/bin/qemu-mips/tmp/mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mips.elf
Source: mips.elf, 5443.1.0000561041e9d000.0000561041f24000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/mips
Source: mips.elf, 5443.1.0000561041e9d000.0000561041f24000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: mips.elf, 5443.1.00007fffcb73c000.00007fffcb75d000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mips.elf	26%	ReversingLabs	Linux.Trojan.Mirai
mips.elf	26%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.239.34.134	unknown	Russian Federation		134121	RAINBOW-HKRainbownetworklimitedHK	false
185.125.190.26	unknown	United Kingdom		41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
85.239.34.134	spc.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	154.216.17.162-arm-2025-01-09T02_53_12.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
185.125.190.26	boatnet.arm7.elf	Get hash	malicious	Unknown	Browse
	boatnet.m68k.elf	Get hash	malicious	Unknown	Browse
	ssh.elf	Get hash	malicious	Gafgyt	Browse
	gnjqwpc.elf	Get hash	malicious	Unknown	Browse
	Space.arm6.elf	Get hash	malicious	Unknown	Browse
	main_sh4.elf	Get hash	malicious	Mirai	Browse
	fenty.arm4.elf	Get hash	malicious	Mirai	Browse
	Space.x86.elf	Get hash	malicious	Unknown	Browse
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse
	wind.arm5.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RAINBOW-HKRainbownetworklimitedHK	spc.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm7.elf	Get hash	malicious	Mirai	Browse	85.239.34.134
	arm.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	arm7.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	154.216.17.162-arm-2025-01-09T02_53_12.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	ppc.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
	x86.elf	Get hash	malicious	Unknown	Browse	85.239.34.134
CANONICAL-ASGB	spc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sse.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	ssp.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	2.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	12.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Space.arm.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	arm.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	ss.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	boatnet.arm7.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	boatnet.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.414246201375075
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mips.elf
File size:	72'972 bytes
MD5:	c53e038457ee218f315120be3489cae9
SHA1:	976012615c17ad70ce109901891850968c77fb0d
SHA256:	769d08e769b7b87b75a05b81417754daf74f19dbce2292e4c9906f16c1e744fa
SHA512:	c0334b2d16ef762041e6c8d51476d3d33d1b10650c2eb26751d10599f71c26aac2c273bc1dce57ad0de51607013a5879307c6301ac5edcdc9f2eac89e80e7881
SSDEEP:	768:TeXPD4F4KDYz4rid2Vn/fyLCW6ab4M8+pMdXGlTe3T+XkYqK/Up222TwwBsv5iTg:ldyLCxM4n+OpKXJjENjIZlg
TLSH:	4B63D85E6E118F7CF28DC63447B79E2596682BC627D1C081E26CE6102E2175F681FFE8
File Content Preview:	.ELF.....................@.....4.........4. ...(.............@...@...........................A...A..... ..9................D.A.D.A.D................dt.Q............................<...'..l...!'.......................<...'..H...!........'9... .............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400290
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	72332
Section Header Size:	40
Number of Section Headers:	16
Header String Table Index:	15

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000b4	0xb4	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400140	0x140	0xfa80	0x0	0x6	AX	16
.fini	PROGBITS	0x40fbc0	0xfbc0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40fc20	0xfc20	0x10d0	0x0	0x2	A	16
.eh_frame	PROGBITS	0x411000	0x11000	0x44	0x0	0x3	WA	4
.tbss	NOBITS	0x411044	0x11044	0x8	0x0	0x403	WAT	4
.ctors	PROGBITS	0x411044	0x11044	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x41104c	0x1104c	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x411054	0x11054	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x411060	0x11060	0x3c4	0x0	0x3	WA	16
.got	PROGBITS	0x411430	0x11430	0x5f0	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x411a20	0x11a20	0x38	0x0	0x10000003	WAp	4
.bss	NOBITS	0x411a60	0x11a20	0x2f20	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xb52	0x11a20	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x11a20	0x6c	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x10cf0	0x10cf0	5.4773	0x5	R E	0x1000	.init .text .fini .rodata
LOAD	0x11000	0x411000	0x411000	0xa20	0x3980	4.1986	0x6	RW	0x1000	.eh_frame .tbss .ctors .dtors .jcr .data .got .sbss .bss
TLS	0x11044	0x411044	0x411044	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:42:14.455997944 CET	45926	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:14.460895061 CET	999	45926	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:14.460988998 CET	45926	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:14.461153984 CET	45926	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:14.466084957 CET	999	45926	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:14.466135979 CET	45926	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:14.471041918 CET	999	45926	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:16.234395027 CET	999	45926	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:16.234829903 CET	45926	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:16.239756107 CET	999	45926	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:17.237108946 CET	45928	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:17.242043018 CET	999	45928	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:17.242121935 CET	45928	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:17.242163897 CET	45928	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:17.246993065 CET	999	45928	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:17.247046947 CET	45928	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:17.251893997 CET	999	45928	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:19.011693001 CET	999	45928	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:19.012008905 CET	45928	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:19.016904116 CET	999	45928	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:20.014631033 CET	45930	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:20.019617081 CET	999	45930	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:20.019714117 CET	45930	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:20.019757032 CET	45930	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:20.024660110 CET	999	45930	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:20.024753094 CET	45930	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:20.029624939 CET	999	45930	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:21.806794882 CET	999	45930	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:21.807086945 CET	45930	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:21.812005043 CET	999	45930	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:22.809333086 CET	45932	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:22.814440012 CET	999	45932	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:22.814532995 CET	45932	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:22.814554930 CET	45932	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:22.820508003 CET	999	45932	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:22.820585966 CET	45932	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:22.825812101 CET	999	45932	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:23.727597952 CET	48202	443	192.168.2.13	185.125.190.26
Jan 11, 2025 04:42:24.556734085 CET	999	45932	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:24.557091951 CET	45932	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:24.562005997 CET	999	45932	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:25.560167074 CET	45934	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:25.564990997 CET	999	45934	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:25.565085888 CET	45934	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:25.565143108 CET	45934	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:25.569919109 CET	999	45934	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:25.570030928 CET	45934	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:25.574784994 CET	999	45934	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:27.306015968 CET	999	45934	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:27.306375980 CET	45934	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:27.311299086 CET	999	45934	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:28.308691978 CET	45936	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:28.313652039 CET	999	45936	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:28.313767910 CET	45936	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:28.313790083 CET	45936	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:28.318605900 CET	999	45936	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:28.318675995 CET	45936	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:28.323534966 CET	999	45936	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:30.088495970 CET	999	45936	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:30.088913918 CET	45936	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:30.093919992 CET	999	45936	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:31.091813087 CET	45938	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:31.097088099 CET	999	45938	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:31.097153902 CET	45938	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:31.097167969 CET	45938	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:31.102560997 CET	999	45938	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:31.102622986 CET	45938	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:31.107516050 CET	999	45938	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:32.857709885 CET	999	45938	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:32.858222008 CET	45938	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:32.863121033 CET	999	45938	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:33.863717079 CET	45940	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:33.868633032 CET	999	45940	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:33.868731022 CET	45940	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:33.868731022 CET	45940	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:33.873637915 CET	999	45940	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:33.873733044 CET	45940	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:33.878532887 CET	999	45940	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:35.653819084 CET	999	45940	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:35.654123068 CET	45940	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:35.659086943 CET	999	45940	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:36.656354904 CET	45942	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:36.661413908 CET	999	45942	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:36.661498070 CET	45942	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:36.661498070 CET	45942	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:36.666354895 CET	999	45942	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:36.666454077 CET	45942	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:36.671278000 CET	999	45942	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:38.433907986 CET	999	45942	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:38.434257984 CET	45942	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:38.439137936 CET	999	45942	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:39.437488079 CET	45944	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:39.442451000 CET	999	45944	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:39.442532063 CET	45944	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:39.442599058 CET	45944	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:39.447453022 CET	999	45944	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:39.447516918 CET	45944	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:39.452378988 CET	999	45944	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:41.218930006 CET	999	45944	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:41.219353914 CET	45944	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:41.224319935 CET	999	45944	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:42.221239090 CET	45946	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:42.226119995 CET	999	45946	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:42.226269960 CET	45946	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:42.226269960 CET	45946	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:42.231187105 CET	999	45946	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:42.231277943 CET	45946	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:42.236183882 CET	999	45946	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:43.983647108 CET	999	45946	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:43.983858109 CET	45946	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:43.988722086 CET	999	45946	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:44.986360073 CET	45948	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:44.991262913 CET	999	45948	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:44.991343021 CET	45948	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:44.991362095 CET	45948	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:44.996217012 CET	999	45948	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:44.996278048 CET	45948	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:45.001368999 CET	999	45948	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:46.764611006 CET	999	45948	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:46.764882088 CET	45948	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:46.769802094 CET	999	45948	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:47.766832113 CET	45950	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:47.772413015 CET	999	45950	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:47.772520065 CET	45950	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:47.772588968 CET	45950	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:47.777446032 CET	999	45950	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:47.777506113 CET	45950	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:47.782357931 CET	999	45950	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:49.525719881 CET	999	45950	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:49.526225090 CET	45950	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:49.531115055 CET	999	45950	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:50.528023005 CET	45952	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:50.532915115 CET	999	45952	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:50.533004045 CET	45952	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:50.533070087 CET	45952	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:50.537869930 CET	999	45952	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:50.537942886 CET	45952	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:50.542748928 CET	999	45952	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:52.320251942 CET	999	45952	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:52.320528984 CET	45952	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:52.325367928 CET	999	45952	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:53.322974920 CET	45954	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:53.329782963 CET	999	45954	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:53.329915047 CET	45954	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:53.329932928 CET	45954	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:53.336510897 CET	999	45954	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:53.336570978 CET	45954	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:53.343106985 CET	999	45954	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:54.703125000 CET	48202	443	192.168.2.13	185.125.190.26
Jan 11, 2025 04:42:55.121525049 CET	999	45954	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:55.121736050 CET	45954	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:55.126610041 CET	999	45954	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:56.123752117 CET	45956	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:56.128654003 CET	999	45956	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:56.128948927 CET	45956	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:56.128948927 CET	45956	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:56.133809090 CET	999	45956	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:56.133956909 CET	45956	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:56.138818026 CET	999	45956	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:57.885797977 CET	999	45956	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:57.886022091 CET	45956	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:57.890815973 CET	999	45956	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:58.887934923 CET	45958	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:58.892987967 CET	999	45958	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:58.893157959 CET	45958	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:58.893157959 CET	45958	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:58.898067951 CET	999	45958	85.239.34.134	192.168.2.13
Jan 11, 2025 04:42:58.898169041 CET	45958	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:42:58.903069019 CET	999	45958	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:00.650378942 CET	999	45958	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:00.650676012 CET	45958	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:00.655805111 CET	999	45958	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:01.652900934 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:01.657783031 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:01.657913923 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:01.658237934 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:01.663068056 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:01.663146019 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:01.667998075 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:11.668243885 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:11.673011065 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:11.891750097 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:11.891911030 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:46.488090992 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:46.488423109 CET	45960	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:46.493258953 CET	999	45960	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:47.490744114 CET	45962	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:47.495562077 CET	999	45962	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:47.495656013 CET	45962	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:47.495728016 CET	45962	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:47.500543118 CET	999	45962	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:47.500617027 CET	45962	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:47.505377054 CET	999	45962	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:49.260859013 CET	999	45962	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:49.261071920 CET	45962	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:49.265872002 CET	999	45962	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:50.262486935 CET	45964	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:50.267594099 CET	999	45964	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:50.267654896 CET	45964	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:50.267688036 CET	45964	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:50.272490025 CET	999	45964	85.239.34.134	192.168.2.13
Jan 11, 2025 04:43:50.272555113 CET	45964	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:43:50.277350903 CET	999	45964	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:09.422074080 CET	999	45964	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:09.422475100 CET	45964	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:09.427335024 CET	999	45964	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:10.424335003 CET	45966	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:10.429198980 CET	999	45966	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:10.429256916 CET	45966	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:10.429279089 CET	45966	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:10.434087992 CET	999	45966	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:10.434139967 CET	45966	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:10.439074993 CET	999	45966	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:12.199331045 CET	999	45966	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:12.199619055 CET	45966	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:12.204480886 CET	999	45966	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:13.201615095 CET	45968	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:13.206530094 CET	999	45968	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:13.206705093 CET	45968	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:13.206747055 CET	45968	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:13.211558104 CET	999	45968	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:13.211627960 CET	45968	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:13.216479063 CET	999	45968	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:14.965950966 CET	999	45968	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:14.966183901 CET	45968	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:14.971081972 CET	999	45968	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:15.968161106 CET	45970	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:15.973018885 CET	999	45970	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:15.973095894 CET	45970	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:15.973157883 CET	45970	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:15.978019953 CET	999	45970	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:15.978070021 CET	45970	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:15.982850075 CET	999	45970	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:17.729671955 CET	999	45970	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:17.730113983 CET	45970	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:17.734966993 CET	999	45970	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:18.732402086 CET	45972	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:18.737199068 CET	999	45972	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:18.737263918 CET	45972	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:18.737293005 CET	45972	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:18.742042065 CET	999	45972	85.239.34.134	192.168.2.13
Jan 11, 2025 04:44:18.742090940 CET	45972	999	192.168.2.13	85.239.34.134
Jan 11, 2025 04:44:18.746818066 CET	999	45972	85.239.34.134	192.168.2.13

System Behavior

Analysis Process: dash PID: 5411, Parent PID: 3578

General

Start time (UTC):	03:42:05
Start date (UTC):	11/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5411, Parent PID: 3578

General

Start time (UTC):	03:42:05
Start date (UTC):	11/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.zyqSxPi4y6 /tmp/tmp.Ugs7kCUs5l /tmp/tmp.0AzLUvd8vZ
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: dash PID: 5412, Parent PID: 3578

General

Start time (UTC):	03:42:05
Start date (UTC):	11/01/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: rm PID: 5412, Parent PID: 3578

General

Start time (UTC):	03:42:05
Start date (UTC):	11/01/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.zyqSxPi4y6 /tmp/tmp.Ugs7kCUs5l /tmp/tmp.0AzLUvd8vZ
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Chronological Activities

Analysis Process: mips.elf PID: 5443, Parent PID: 5344

General

Start time (UTC):	03:42:13
Start date (UTC):	11/01/2025
Path:	/tmp/mips.elf
Arguments:	/tmp/mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: mips.elf PID: 5445, Parent PID: 5443

General

Start time (UTC):	03:42:13
Start date (UTC):	11/01/2025
Path:	/tmp/mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: dash PID: 5411, Parent PID: 3578

General

Chronological Activities

Analysis Process: rm PID: 5411, Parent PID: 3578

General

Chronological Activities

Analysis Process: dash PID: 5412, Parent PID: 3578

General

Chronological Activities

Analysis Process: rm PID: 5412, Parent PID: 3578

General

Chronological Activities

Analysis Process: mips.elf PID: 5443, Parent PID: 5344

General

Chronological Activities

Analysis Process: mips.elf PID: 5445, Parent PID: 5443

General

Chronological Activities

Linux Analysis Report
mips.elf