Linux
Analysis Report
g6.elf
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1589612 |
Start date and time: | 2025-01-12 23:42:04 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | g6.elf |
Detection: | MAL |
Classification: | mal64.spre.troj.evad.linELF@0/6@0/0 |
- VT rate limit hit for: http://103.136.41.100/g6
Command: | /tmp/g6.elf |
PID: | 6237 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | gosh that chinese family at the other table sure ate a lot |
Standard Error: |
- system is lnxubuntu20
- g6.elf New Fork (PID: 6248, Parent: 6237)
- sh New Fork (PID: 6250, Parent: 6248)
- g6.elf New Fork (PID: 6264, Parent: 6237)
- sh New Fork (PID: 6268, Parent: 6264)
- g6.elf New Fork (PID: 6269, Parent: 6237)
- sh New Fork (PID: 6271, Parent: 6269)
- xfce4-panel New Fork (PID: 6239, Parent: 2063)
- xfce4-panel New Fork (PID: 6240, Parent: 2063)
- xfce4-panel New Fork (PID: 6241, Parent: 2063)
- xfce4-panel New Fork (PID: 6242, Parent: 2063)
- xfce4-panel New Fork (PID: 6243, Parent: 2063)
- xfce4-panel New Fork (PID: 6244, Parent: 2063)
- systemd New Fork (PID: 6252, Parent: 6251)
- cleanup
- • AV Detection
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | Socket: | Jump to behavior |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior |
Source: | .symtab present: |
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior | ||
Source: | SIGKILL sent: | Jump to behavior |
Source: | Classification label: |
Persistence and Installation Behavior |
---|
Source: | Crontab executable: | Jump to behavior |
Source: | File: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior | ||
Source: | Shell command executed: | Jump to behavior |
Source: | Systemctl executable: | Jump to behavior |
Source: | Reads from proc file: | Jump to behavior |
Source: | Writes shell script file to disk with an unusual file extension: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File: | Jump to dropped file |
Source: | Queries kernel information via 'uname': | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Scheduled Task/Job | 1 Systemd Service | 1 Systemd Service | 1 Masquerading | 1 OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | 1 Service Stop |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Scheduled Task/Job | 1 Scheduled Task/Job | Rootkit | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 Scripting | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | Virustotal | Browse | ||
32% | ReversingLabs | Linux.Backdoor.Mirai |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
77.90.22.16 | unknown | Germany | 12586 | ASGHOSTNETDE | false | |
1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
77.90.22.16 | Get hash | malicious | Unknown | Browse | ||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
1.1.1.1 | Get hash | malicious | Xmrig | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook, NSISDropper | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
109.202.202.202 | Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
CANONICAL-ASGB | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
INIT7CH | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
ASGHOSTNETDE | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | /tmp/g6.elf |
File Type: | |
Category: | dropped |
Size (bytes): | 617 |
Entropy (8bit): | 4.739574079771775 |
Encrypted: | false |
SSDEEP: | 12:i5BpMp5kTMp5Gu+a6KqCqXSMG259srxylKNVUdURucTyl:ifpMr8MrPd6KqCqiMGAsrxy8bp4 |
MD5: | 1CC44176B5452CB7A331133672D937FA |
SHA1: | 55B61112A4D7E4CBB59603914B585837120B3B26 |
SHA-256: | 50DBE8F2AECD2F7B7622A029C811AD6EA3509237C61CEF5B8B59D4450D331303 |
SHA-512: | 5B8892612AAA8B42B64EE8D3E944FD37EE9D161AEDE9B04A56644CFC00ACAC7806F2287913EF4C861C64A969A19DF77C03A04E3A07029199FF2027E502E290A9 |
Malicious: | true |
Joe Sandbox View: |
|
Reputation: | low |
Preview: |
Process: | /tmp/g6.elf |
File Type: | |
Category: | dropped |
Size (bytes): | 313 |
Entropy (8bit): | 5.28368958442553 |
Encrypted: | false |
SSDEEP: | 6:z8KbX9RZAMGCk4vEuIACLm+fOALMFF5CQgcyskXlIEXwsCBLQmWA4Rv:zb9RZADJiIE+mpqCqXSLLHWrv |
MD5: | 106272481A79DAFBC9F2CA3EA5A5AF8E |
SHA1: | 7F73F67B29266906E6D999BB9D8AF3A7DB94F652 |
SHA-256: | F8E89CA6D7E9EB404DACC618D7B2A0F02020E080D3B40B31CFC22A6DF458C98E |
SHA-512: | 08DA4C1E04359A4B3BAAFCD425839AF773885F85883914D817728D9DB81B2133CF8E11ECE459C39AEAFB95974D7B7AA6EA2F16C4CB0BF36C10150E8448A118F2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | /usr/lib/systemd/system-environment-generators/snapd-env-generator |
File Type: | |
Category: | dropped |
Size (bytes): | 76 |
Entropy (8bit): | 3.7627880354948586 |
Encrypted: | false |
SSDEEP: | 3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb |
MD5: | D86A1F5765F37989EB0EC3837AD13ECC |
SHA1: | D749672A734D9DEAFD61DCA501C6929EC431B83E |
SHA-256: | 85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45 |
SHA-512: | 338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | /tmp/g6.elf |
File Type: | |
Category: | dropped |
Size (bytes): | 134 |
Entropy (8bit): | 4.800827342303799 |
Encrypted: | false |
SSDEEP: | 3:SH3YFKKLf0FeMPHRCQUIycDSGuVskXQYlIUU0XzT9Fw2sePn:SH3oLMFF5CQgcyskXlIEX9W5Cn |
MD5: | 9B9B99343B1C51347C7CD56FD0CBA203 |
SHA1: | E7928B952E7663F5DD5B197991FECF0E4FA8D96E |
SHA-256: | 1F82514A1A49132BF080A77291456C85AB663AB000CE34F1344C0118F1DD790E |
SHA-512: | D14EDEBFD57F7B3E5B4EA2DDAE5BA77F2D3ED28177E2F5DE923BCF8A1797AD5EF88D6868DF55E8D870380DCD66B16BE1AA1F3BAD94791373F0EEE392F4AF8616 |
Malicious: | true |
Reputation: | low |
Preview: |
Process: | /tmp/g6.elf |
File Type: | |
Category: | dropped |
Size (bytes): | 259 |
Entropy (8bit): | 3.383607598144853 |
Encrypted: | false |
SSDEEP: | 6:3DDF4OXM/VUT4DF4W/IQ3j/VjmsVot/VOArB/VF:vvXNc+QS/ |
MD5: | B505F08901027BC48BE5464656B3D36B |
SHA1: | E549BCAAE78C54B7E4DE0EF688823C09C1798593 |
SHA-256: | 150D62C1E051259EB8A0D90643BAED3D8A1511C8D27833F7BCC62E1BC3637594 |
SHA-512: | 38825AE08F027A6766EF3F69F69E69EF290B11491E80A9C0735B396AC5D9229B2BEA2AA9777EBBADEA33B8375F97D4A33E675A7ECD3C8C23A288D742499CB8DB |
Malicious: | false |
Preview: |
Process: | /usr/bin/crontab |
File Type: | |
Category: | dropped |
Size (bytes): | 324 |
Entropy (8bit): | 5.264730303739549 |
Encrypted: | false |
SSDEEP: | 6:SUrpqoqQjEOP1K8XAEuLuwJOBFQ3pg4iGMQ5UYLtCFt3HYoLMFF5CQgcyskXlIEN:8Qj7QEuLut83pdUeHLUHYRqCqXSK |
MD5: | 145926116B0C937A6D68C11D291D31CA |
SHA1: | E5F6E3F3F1A9FC26E7A089E6BD2D843BD0516540 |
SHA-256: | A6DECDC12E602DBCB5965FAFD7C1EF7D07E8F38DCAC7FD2BD5403E9FFE272974 |
SHA-512: | 44D44E807CB9573977B850B76436E023131D286AAD8D4FD409529914394EE0E59035CB023D1532676CF9499F75F09D6622B948AB023C3234504FD45491BA268F |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 6.119008817339163 |
TrID: |
|
File name: | g6.elf |
File size: | 93'372 bytes |
MD5: | 8718f3367ac74935cd1fa1f542917234 |
SHA1: | 8983d66200c8167fc859852226a45356b38d3624 |
SHA256: | d80c634884bbde73b5dd48cee37a5e1bc11055bb15e320c2b41b2c2a76d6e34a |
SHA512: | 50bdc66c8830df02bba27e889a09fe24fa90d24a3682661e9162f6af9b4c85b9fc6373a64b0a03f72afc9cc644894764b493e63cff7470411d5a2173c4ae1a04 |
SSDEEP: | 1536:3/2nzPchPepE6kDsDYrqeQ0LQ28c23uc5hRoXalCjimymPd0lWc6n5gIZgTeg3E:sVDurnQvc23uc5U/ymPd4b6+JTzE |
TLSH: | 8D93185AF9815B41C5D411BBBE1E529E33076BA8E3EA7203ED201B2537CAA1F0F77506 |
File Content Preview: | .ELF..............(.........4...<j......4. ...(........p.c.......... ... ............................d...d...............d...d...d......\9...............d...d...d..................Q.td..................................-...L..................@-.,@...0....S |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 5 |
Section Header Offset: | 92732 |
Section Header Size: | 40 |
Number of Section Headers: | 16 |
Header String Table Index: | 15 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x80d4 | 0xd4 | 0x10 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.text | PROGBITS | 0x80f0 | 0xf0 | 0x14904 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x1c9f4 | 0x149f4 | 0x10 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.rodata | PROGBITS | 0x1ca04 | 0x14a04 | 0x1970 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ARM.extab | PROGBITS | 0x1e374 | 0x16374 | 0x18 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ARM.exidx | ARM_EXIDX | 0x1e38c | 0x1638c | 0x120 | 0x0 | 0x82 | AL | 2 | 0 | 4 |
.eh_frame | PROGBITS | 0x264ac | 0x164ac | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.tbss | NOBITS | 0x264b0 | 0x164b0 | 0x8 | 0x0 | 0x403 | WAT | 0 | 0 | 4 |
.init_array | INIT_ARRAY | 0x264b0 | 0x164b0 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.fini_array | FINI_ARRAY | 0x264b4 | 0x164b4 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.got | PROGBITS | 0x264bc | 0x164bc | 0xa8 | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x26564 | 0x16564 | 0x43c | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x269a0 | 0x169a0 | 0x3468 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.ARM.attributes | ARM_ATTRIBUTES | 0x0 | 0x169a0 | 0x16 | 0x0 | 0x0 | 0 | 0 | 1 | |
.shstrtab | STRTAB | 0x0 | 0x169b6 | 0x83 | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
EXIDX | 0x1638c | 0x1e38c | 0x1e38c | 0x120 | 0x120 | 4.5642 | 0x4 | R | 0x4 | .ARM.exidx | |
LOAD | 0x0 | 0x8000 | 0x8000 | 0x164ac | 0x164ac | 6.1122 | 0x5 | R E | 0x8000 | .init .text .fini .rodata .ARM.extab .ARM.exidx | |
LOAD | 0x164ac | 0x264ac | 0x264ac | 0x4f4 | 0x395c | 6.2159 | 0x6 | RW | 0x8000 | .eh_frame .tbss .init_array .fini_array .got .data .bss | |
TLS | 0x164b0 | 0x264b0 | 0x264b0 | 0x0 | 0x8 | 0.0000 | 0x4 | R | 0x4 | .tbss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x7 | RWE | 0x4 |
Download Network PCAP: filtered – full
- Total Packets: 20
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 12, 2025 23:42:58.103863001 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Jan 12, 2025 23:42:58.871769905 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Jan 12, 2025 23:43:00.576426029 CET | 46223 | 53 | 192.168.2.23 | 1.1.1.1 |
Jan 12, 2025 23:43:00.581537008 CET | 53 | 46223 | 1.1.1.1 | 192.168.2.23 |
Jan 12, 2025 23:43:00.581621885 CET | 46223 | 53 | 192.168.2.23 | 1.1.1.1 |
Jan 12, 2025 23:43:00.581734896 CET | 46223 | 53 | 192.168.2.23 | 1.1.1.1 |
Jan 12, 2025 23:43:00.586723089 CET | 53 | 46223 | 1.1.1.1 | 192.168.2.23 |
Jan 12, 2025 23:43:00.586755037 CET | 53 | 46223 | 1.1.1.1 | 192.168.2.23 |
Jan 12, 2025 23:43:00.586821079 CET | 46223 | 53 | 192.168.2.23 | 1.1.1.1 |
Jan 12, 2025 23:43:01.900650024 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:43:01.905683994 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:43:01.905755997 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:43:02.903203011 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:43:02.908202887 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:43:02.908283949 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:43:02.908677101 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:43:02.913544893 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:43:12.949820042 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Jan 12, 2025 23:43:25.236099958 CET | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Jan 12, 2025 23:43:29.331671953 CET | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Jan 12, 2025 23:43:33.426959991 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:43:33.432003975 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:43:53.904179096 CET | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Jan 12, 2025 23:44:04.142739058 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:44:04.147798061 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:44:12.989635944 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:44:12.995080948 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:44:13.176270008 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
Jan 12, 2025 23:44:13.176425934 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:44:45.097093105 CET | 48828 | 5625 | 192.168.2.23 | 77.90.22.16 |
Jan 12, 2025 23:44:45.102281094 CET | 5625 | 48828 | 77.90.22.16 | 192.168.2.23 |
System Behavior
Start time (UTC): | 22:42:54 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | /tmp/g6.elf |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /bin/sh |
Arguments: | /bin/sh -c "systemctl daemon-reload > /dev/null 2>&1" |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /bin/sh |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/systemctl |
Arguments: | systemctl daemon-reload |
File size: | 996584 bytes |
MD5 hash: | 4deddfb6741481f68aeac522cc26ff4b |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /bin/sh |
Arguments: | /bin/sh -c "crontab /tmp/crontab.tmp > /dev/null 2>&1" |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /bin/sh |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/crontab |
Arguments: | crontab /tmp/crontab.tmp |
File size: | 43720 bytes |
MD5 hash: | 66e521d421ac9b407699061bf21806f5 |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /bin/sh |
Arguments: | /bin/sh -c "/etc/init.d/hello > /dev/null 2>&1" |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /bin/sh |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:43:00 |
Start date (UTC): | 12/01/2025 |
Path: | /tmp/g6.elf |
Arguments: | - |
File size: | 4956856 bytes |
MD5 hash: | 5ebfcae4fe2471fcc5695c2394773ff1 |
Start time (UTC): | 22:42:55 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/xfce4-panel |
Arguments: | - |
File size: | 375768 bytes |
MD5 hash: | a15b657c7d54ac1385f1f15004ea6784 |
Start time (UTC): | 22:42:55 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 |
Arguments: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear" |
File size: | 35136 bytes |
MD5 hash: | ac0b8a906f359a8ae102244738682e76 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/xfce4-panel |
Arguments: | - |
File size: | 375768 bytes |
MD5 hash: | a15b657c7d54ac1385f1f15004ea6784 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 |
Arguments: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)" |
File size: | 35136 bytes |
MD5 hash: | ac0b8a906f359a8ae102244738682e76 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/xfce4-panel |
Arguments: | - |
File size: | 375768 bytes |
MD5 hash: | a15b657c7d54ac1385f1f15004ea6784 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 |
Arguments: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system" |
File size: | 35136 bytes |
MD5 hash: | ac0b8a906f359a8ae102244738682e76 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/xfce4-panel |
Arguments: | - |
File size: | 375768 bytes |
MD5 hash: | a15b657c7d54ac1385f1f15004ea6784 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 |
Arguments: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display" |
File size: | 35136 bytes |
MD5 hash: | ac0b8a906f359a8ae102244738682e76 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/xfce4-panel |
Arguments: | - |
File size: | 375768 bytes |
MD5 hash: | a15b657c7d54ac1385f1f15004ea6784 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 |
Arguments: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel" |
File size: | 35136 bytes |
MD5 hash: | ac0b8a906f359a8ae102244738682e76 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/bin/xfce4-panel |
Arguments: | - |
File size: | 375768 bytes |
MD5 hash: | a15b657c7d54ac1385f1f15004ea6784 |
Start time (UTC): | 22:42:56 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 |
Arguments: | /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions" |
File size: | 35136 bytes |
MD5 hash: | ac0b8a906f359a8ae102244738682e76 |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/systemd/systemd |
Arguments: | - |
File size: | 1620224 bytes |
MD5 hash: | 9b2bec7092a40488108543f9334aab75 |
Start time (UTC): | 22:42:59 |
Start date (UTC): | 12/01/2025 |
Path: | /usr/lib/systemd/system-environment-generators/snapd-env-generator |
Arguments: | /usr/lib/systemd/system-environment-generators/snapd-env-generator |
File size: | 22760 bytes |
MD5 hash: | 3633b075f40283ec938a2a6a89671b0e |