Edit tour

Linux Analysis Report
camp.mpsl.elf

Overview

General Information

Sample name:	camp.mpsl.elf
Analysis ID:	1589240
MD5:	91d99a457e2507262fb29b8110f0a6ea
SHA1:	ef2bcd5e493fd2f04a6790aa4a07a49b42677c17
SHA256:	d74da9a6f17ec3120d5bf51549dd48f22e391a3b1d7124c260ac313dfedc640b
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589240
Start date and time:	2025-01-11 23:51:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	camp.mpsl.elf
Detection:	MAL
Classification:	mal76.troj.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/camp.mpsl.elf
PID:	5469
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

camp.mpsl.elf (PID: 5469, Parent: 5387, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/camp.mpsl.elf

camp.mpsl.elf New Fork (PID: 5471, Parent: 5469)

camp.mpsl.elf New Fork (PID: 5473, Parent: 5471)

camp.mpsl.elf New Fork (PID: 5475, Parent: 5471)

camp.mpsl.elf New Fork (PID: 5484, Parent: 5469)

camp.mpsl.elf New Fork (PID: 5486, Parent: 5469)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5469.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5469.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5473.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5473.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5471.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5471.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5484.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5484.1.00007f87b8400000.00007f87b8418000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x14bdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14bf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14c90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14ce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14cf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x14d6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: camp.mpsl.elf PID: 5469	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: camp.mpsl.elf PID: 5469	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x62c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x640:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x654:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x668:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x67c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x690:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: camp.mpsl.elf PID: 5471	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: camp.mpsl.elf PID: 5471	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x68d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68e5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x68f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x690d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6921:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6935:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6949:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x695d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6971:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6985:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6999:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x69fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a11:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a25:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a39:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a4d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6a61:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: camp.mpsl.elf PID: 5473	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: camp.mpsl.elf PID: 5473	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x16fe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1712:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1726:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x173a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x174e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1762:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1776:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x178a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x179e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17b2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17c6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17da:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17ee:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1802:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1816:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x182a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x183e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1852:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1866:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x187a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x188e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: camp.mpsl.elf PID: 5484	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: camp.mpsl.elf PID: 5484	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xbce9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbcfd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd11:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd25:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd39:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd4d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd61:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd75:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd89:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbd9d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbdb1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbdc5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbdd9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbded:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe01:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe15:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe29:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe3d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe51:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe65:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xbe79:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: camp.mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: camp.mpsl.elf	ReversingLabs: Detection: 44%
Source: camp.mpsl.elf	Virustotal: Detection: 43%			Perma Link

Source: global traffic

TCP traffic: 192.168.2.13:46660 -> 5.181.159.16:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16
Source: unknown	TCP traffic detected without corresponding DNS query: 5.181.159.16

Source: camp.mpsl.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5469.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5473.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5471.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5484.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: camp.mpsl.elf PID: 5469, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: camp.mpsl.elf PID: 5471, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: camp.mpsl.elf PID: 5473, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: camp.mpsl.elf PID: 5484, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5469.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5473.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5471.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5484.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: camp.mpsl.elf PID: 5469, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: camp.mpsl.elf PID: 5471, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: camp.mpsl.elf PID: 5473, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: camp.mpsl.elf PID: 5484, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/238/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/239/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/914/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/240/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/3095/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/241/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/242/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/244/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/245/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/247/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1906/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/802/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/3644/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/3420/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1482/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1480/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/371/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1238/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/134/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/3413/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/1475/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/936/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/816/status	Jump to behavior
Source: /tmp/camp.mpsl.elf (PID: 5469)	File opened: /proc/35/status	Jump to behavior

Source: camp.mpsl.elf

Submission file: segment LOAD with 7.9317 entropy (max. 8.0)

Source: /tmp/camp.mpsl.elf (PID: 5469)

Queries kernel information via 'uname':

Jump to behavior

Source: camp.mpsl.elf, 5469.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp, camp.mpsl.elf, 5471.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp, camp.mpsl.elf, 5473.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp, camp.mpsl.elf, 5484.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: camp.mpsl.elf, 5469.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp, camp.mpsl.elf, 5471.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp, camp.mpsl.elf, 5473.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp, camp.mpsl.elf, 5484.1.000055c1a55ad000.000055c1a5654000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: camp.mpsl.elf, 5469.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp, camp.mpsl.elf, 5471.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp, camp.mpsl.elf, 5473.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp, camp.mpsl.elf, 5484.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp	Binary or memory string: dwJx86_64/usr/bin/qemu-mipsel/tmp/camp.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/camp.mpsl.elf
Source: camp.mpsl.elf, 5469.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp, camp.mpsl.elf, 5471.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp, camp.mpsl.elf, 5473.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp, camp.mpsl.elf, 5484.1.00007ffdded4d000.00007ffdded6e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5469.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5473.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5471.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5484.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5469, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5471, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5473, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5484, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5469.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5473.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5471.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5484.1.00007f87b8400000.00007f87b8418000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5469, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5471, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5473, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: camp.mpsl.elf PID: 5484, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
camp.mpsl.elf	45%	ReversingLabs	Linux.Trojan.Mirai
camp.mpsl.elf	44%	Virustotal		Browse
camp.mpsl.elf	100%	Avira	EXP/ELF.Agent.M.28

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	camp.mpsl.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.181.159.16	unknown	Moldova Republic of		39798	MIVOCLOUDMD	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
5.181.159.16	camp.arm.elf	Get hash	malicious	Mirai	Browse
	camp.mips.elf	Get hash	malicious	Mirai	Browse
	camp.x86.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIVOCLOUDMD	camp.arm.elf	Get hash	malicious	Mirai	Browse	5.181.159.16
	camp.mips.elf	Get hash	malicious	Mirai	Browse	5.181.159.16
	camp.x86.elf	Get hash	malicious	Mirai	Browse	5.181.159.16
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	5.252.176.102
	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse	194.180.191.64
	Update.js	Get hash	malicious	NetSupport RAT	Browse	194.180.191.64
	eBHn6qHPLz.exe	Get hash	malicious	Remcos	Browse	5.181.159.153
	eBHn6qHPLz.exe	Get hash	malicious	Remcos	Browse	5.181.159.153
	I2BJhmJou4.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	I5jG2Os8GA.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.9288187139455655
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	camp.mpsl.elf
File size:	38'696 bytes
MD5:	91d99a457e2507262fb29b8110f0a6ea
SHA1:	ef2bcd5e493fd2f04a6790aa4a07a49b42677c17
SHA256:	d74da9a6f17ec3120d5bf51549dd48f22e391a3b1d7124c260ac313dfedc640b
SHA512:	44160b5262d2819c144df6f5f7d50d2612a6cc44f5ec9bb6af6296725456e1aff8120ae1863cec8b2a193ff7f98dcdd647c84b138c38c3df175b8f68156be83f
SSDEEP:	768:UhpGLq2YEQh5q10MxYWt/y/1tgPUcDpLoKAjB8Wl:EpD2Ynjq10Qt/U89afp
TLSH:	7D03F1DC95D32098CF5D4DF1A4BE16B20F5020DD7A267B9D3B1A1CCC7672497BA48878
File Content Preview:	.ELF........................4...........4. ...(.........................................`...`.E.`.E...................z,UPX!d.......D...D.......U..........?.E.h;....#......b.L#37&u..sO..v....... .....4.}..-.....h!..aV..*...7.B'1V..a..u..Lw...}............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x1082b8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x95f5	0x95f5	7.9317	0x5	R E	0x10000
LOAD	0xaf60	0x45af60	0x45af60	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 23:52:12.755245924 CET	46660	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:12.760440111 CET	3778	46660	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:12.760520935 CET	46660	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:12.809056044 CET	46660	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:12.814174891 CET	3778	46660	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:12.814237118 CET	46660	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:12.819135904 CET	3778	46660	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:18.564707994 CET	46662	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:18.569642067 CET	3778	46662	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:18.569722891 CET	46662	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:18.614181042 CET	46662	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:18.619074106 CET	3778	46662	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:18.619237900 CET	46662	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:18.624063015 CET	3778	46662	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:22.819448948 CET	46660	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:22.824531078 CET	3778	46660	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:28.624603033 CET	46662	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:28.675107956 CET	3778	46662	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:34.152394056 CET	3778	46660	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:34.153301954 CET	46660	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:34.158255100 CET	3778	46660	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:35.157452106 CET	46664	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:35.162426949 CET	3778	46664	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:35.162518024 CET	46664	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:35.164022923 CET	46664	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:35.168915033 CET	3778	46664	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:35.168982029 CET	46664	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:35.173862934 CET	3778	46664	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:39.962829113 CET	3778	46662	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:39.963254929 CET	46662	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:39.968111038 CET	3778	46662	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:40.965548992 CET	46666	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:40.970695019 CET	3778	46666	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:40.970766068 CET	46666	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:40.971679926 CET	46666	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:40.976677895 CET	3778	46666	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:40.976741076 CET	46666	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:40.981623888 CET	3778	46666	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:56.506344080 CET	3778	46664	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:56.506628036 CET	46664	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:56.511563063 CET	3778	46664	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:57.509927034 CET	46668	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:57.514955997 CET	3778	46668	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:57.515058041 CET	46668	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:57.516664982 CET	46668	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:57.521433115 CET	3778	46668	5.181.159.16	192.168.2.13
Jan 11, 2025 23:52:57.521543980 CET	46668	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:52:57.526424885 CET	3778	46668	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:02.565052032 CET	3778	46666	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:02.565349102 CET	46666	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:02.570209026 CET	3778	46666	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:03.568672895 CET	46670	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:03.573707104 CET	3778	46670	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:03.573796034 CET	46670	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:03.575598955 CET	46670	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:03.580439091 CET	3778	46670	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:03.580508947 CET	46670	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:03.585309029 CET	3778	46670	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:18.885325909 CET	3778	46668	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:18.885550022 CET	46668	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:18.891388893 CET	3778	46668	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:19.887972116 CET	46672	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:19.894581079 CET	3778	46672	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:19.894695044 CET	46672	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:19.895756006 CET	46672	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:19.903361082 CET	3778	46672	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:19.903465986 CET	46672	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:19.908572912 CET	3778	46672	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:24.947911024 CET	3778	46670	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:24.948216915 CET	46670	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:24.953118086 CET	3778	46670	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:25.951045036 CET	46674	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:25.956013918 CET	3778	46674	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:25.956104994 CET	46674	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:25.957299948 CET	46674	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:25.962141037 CET	3778	46674	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:25.962193012 CET	46674	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:25.967161894 CET	3778	46674	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:29.905260086 CET	46672	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:29.910111904 CET	3778	46672	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:35.965486050 CET	46674	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:35.970424891 CET	3778	46674	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:41.276773930 CET	3778	46672	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:41.277210951 CET	46672	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:41.282244921 CET	3778	46672	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:42.280406952 CET	46676	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:42.285438061 CET	3778	46676	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:42.285641909 CET	46676	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:42.286957979 CET	46676	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:42.291796923 CET	3778	46676	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:42.291883945 CET	46676	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:42.296711922 CET	3778	46676	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:47.322572947 CET	3778	46674	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:47.322990894 CET	46674	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:47.327934980 CET	3778	46674	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:48.326191902 CET	46678	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:48.331424952 CET	3778	46678	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:48.331540108 CET	46678	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:48.332441092 CET	46678	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:48.337368011 CET	3778	46678	5.181.159.16	192.168.2.13
Jan 11, 2025 23:53:48.337508917 CET	46678	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:53:48.342696905 CET	3778	46678	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:03.682172060 CET	3778	46676	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:03.682606936 CET	46676	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:03.687545061 CET	3778	46676	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:04.686264992 CET	46680	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:04.691258907 CET	3778	46680	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:04.691360950 CET	46680	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:04.692863941 CET	46680	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:04.697823048 CET	3778	46680	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:04.697897911 CET	46680	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:04.702773094 CET	3778	46680	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:09.713782072 CET	3778	46678	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:09.714173079 CET	46678	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:09.719132900 CET	3778	46678	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:10.717041969 CET	46682	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:10.721956968 CET	3778	46682	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:10.722022057 CET	46682	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:10.723156929 CET	46682	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:10.728060007 CET	3778	46682	5.181.159.16	192.168.2.13
Jan 11, 2025 23:54:10.728168011 CET	46682	3778	192.168.2.13	5.181.159.16
Jan 11, 2025 23:54:10.733330011 CET	3778	46682	5.181.159.16	192.168.2.13

System Behavior

Analysis Process: camp.mpsl.elf PID: 5469, Parent PID: 5387

General

Start time (UTC):	22:52:11
Start date (UTC):	11/01/2025
Path:	/tmp/camp.mpsl.elf
Arguments:	/tmp/camp.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5471, Parent PID: 5469

General

Start time (UTC):	22:52:12
Start date (UTC):	11/01/2025
Path:	/tmp/camp.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5473, Parent PID: 5471

General

Start time (UTC):	22:52:12
Start date (UTC):	11/01/2025
Path:	/tmp/camp.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5475, Parent PID: 5471

General

Start time (UTC):	22:52:12
Start date (UTC):	11/01/2025
Path:	/tmp/camp.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5484, Parent PID: 5469

General

Start time (UTC):	22:52:17
Start date (UTC):	11/01/2025
Path:	/tmp/camp.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5486, Parent PID: 5469

General

Start time (UTC):	22:52:17
Start date (UTC):	11/01/2025
Path:	/tmp/camp.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report camp.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: camp.mpsl.elf PID: 5469, Parent PID: 5387

General

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5471, Parent PID: 5469

General

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5473, Parent PID: 5471

General

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5475, Parent PID: 5471

General

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5484, Parent PID: 5469

General

Chronological Activities

Analysis Process: camp.mpsl.elf PID: 5486, Parent PID: 5469

General

Chronological Activities

Linux Analysis Report
camp.mpsl.elf