Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
spc.elf

Overview

General Information

Sample name:spc.elf
Analysis ID:1591267
MD5:a92e1869bd5d0716e30ea16df527e287
SHA1:b1a28aa07b3cf572a0b0eb83cf3075808dbc586a
SHA256:3efd6c4bed8ba71ec37ebf9a2f779589cd2168eb81b1f3fe0eff921b3af76f89
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai, Moobot
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Mirai
Yara detected Moobot
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1591267
Start date and time:2025-01-14 21:03:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 51s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:spc.elf
Detection:MAL
Classification:mal100.troj.evad.linELF@0/0@2/0

Runtime Messages

Command:/tmp/spc.elf
PID:6255
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • spc.elf (PID: 6255, Parent: 6176, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/spc.elf
    • spc.elf New Fork (PID: 6257, Parent: 6255)
      • spc.elf New Fork (PID: 6259, Parent: 6257)
      • spc.elf New Fork (PID: 6261, Parent: 6257)
        • spc.elf New Fork (PID: 6263, Parent: 6261)
        • spc.elf New Fork (PID: 6268, Parent: 6261)
          • spc.elf New Fork (PID: 6270, Parent: 6268)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
MooBotNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
spc.elfJoeSecurity_MoobotYara detected MoobotJoe Security
    spc.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      spc.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xcad8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcaec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcb8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcba0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcbb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcbc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcbdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcbf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xcc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6259.1.00007f6368011000.00007f6368020000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
        6259.1.00007f6368011000.00007f6368020000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6259.1.00007f6368011000.00007f6368020000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xcad8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcaec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcb8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcba0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcbb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcbc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcbdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcbf0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xcc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          6257.1.00007f6368011000.00007f6368020000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
            6257.1.00007f6368011000.00007f6368020000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              Click to see the 20 entries

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T21:04:01.281638+010020304911Malware Command and Control Activity Detected192.168.2.2344490119.8.27.10555650TCP
              2025-01-14T21:04:02.741468+010020304911Malware Command and Control Activity Detected192.168.2.2344492119.8.27.10555650TCP

              Joe Sandbox Signatures

              • AV Detection
              • Networking
              • System Summary
              • Persistence and Installation Behavior
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Stealing of Sensitive Information
              • Remote Access Functionality

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: spc.elfAvira: detected
              Source: spc.elfReversingLabs: Detection: 60%
              Source: spc.elfVirustotal: Detection: 59%Perma Link

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2030491 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+) : 192.168.2.23:44490 -> 119.8.27.105:55650
              Source: Network trafficSuricata IDS: 2030491 - Severity 1 - ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+) : 192.168.2.23:44492 -> 119.8.27.105:55650
              Source: global trafficTCP traffic: 192.168.2.23:44490 -> 119.8.27.105:55650
              Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
              Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
              Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
              Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
              Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
              Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
              Source: global trafficDNS traffic detected: DNS query: killbaidu.top
              Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

              System Summary

              barindex
              Source: spc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 6259.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 6257.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 6263.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 6270.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 6255.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: spc.elf PID: 6255, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: spc.elf PID: 6257, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: spc.elf PID: 6259, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: spc.elf PID: 6263, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: spc.elf PID: 6270, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: ELF static info symbol of initial sample.symtab present: no
              Source: /tmp/spc.elf (PID: 6261)SIGKILL sent: pid: 6263, result: successfulJump to behavior
              Source: /tmp/spc.elf (PID: 6263)SIGKILL sent: pid: -6257, result: unknownJump to behavior
              Source: /tmp/spc.elf (PID: 6270)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
              Source: spc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 6259.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 6257.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 6263.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 6270.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 6255.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: spc.elf PID: 6255, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: spc.elf PID: 6257, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: spc.elf PID: 6259, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: spc.elf PID: 6263, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: spc.elf PID: 6270, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: classification engineClassification label: mal100.troj.evad.linELF@0/0@2/0
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/88/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/89/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/230/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/110/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/231/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/111/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/232/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/112/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/233/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/113/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/234/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/114/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/235/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/115/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/236/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/116/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/237/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/117/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/91/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/118/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/92/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/119/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/93/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/94/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/95/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/96/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/97/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/10/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/98/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/11/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/99/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/12/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/13/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/14/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/15/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/16/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/17/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/18/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/120/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/121/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/1/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/122/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/243/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/2/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/123/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/124/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/3/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/125/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/4/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/126/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/127/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/6/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/248/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/128/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/249/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/9/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/20/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/21/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/22/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/23/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/24/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/25/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/26/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/27/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/28/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/29/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/250/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/130/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/251/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/252/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/132/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/253/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/254/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/255/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/256/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/257/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/258/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/259/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/30/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/35/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/141/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/144/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/157/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/201/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/202/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/203/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/204/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/205/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/206/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/207/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/208/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/209/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/210/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/211/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/212/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/213/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/214/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/215/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/216/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/217/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/218/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/219/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/77/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/78/cmdlineJump to behavior
              Source: /tmp/spc.elf (PID: 6259)File opened: /proc/79/cmdlineJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: /tmp/spc.elf (PID: 6255)File: /tmp/spc.elfJump to behavior
              Source: /tmp/spc.elf (PID: 6255)Queries kernel information via 'uname': Jump to behavior
              Source: spc.elf, 6255.1.000055efb43bb000.000055efb4440000.rw-.sdmp, spc.elf, 6257.1.000055efb43bb000.000055efb4420000.rw-.sdmp, spc.elf, 6259.1.000055efb43bb000.000055efb4420000.rw-.sdmp, spc.elf, 6263.1.000055efb43bb000.000055efb4420000.rw-.sdmp, spc.elf, 6270.1.000055efb43bb000.000055efb4420000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
              Source: spc.elf, 6255.1.000055efb43bb000.000055efb4440000.rw-.sdmp, spc.elf, 6257.1.000055efb43bb000.000055efb4420000.rw-.sdmp, spc.elf, 6259.1.000055efb43bb000.000055efb4420000.rw-.sdmp, spc.elf, 6263.1.000055efb43bb000.000055efb4420000.rw-.sdmp, spc.elf, 6270.1.000055efb43bb000.000055efb4420000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/sparc
              Source: spc.elf, 6255.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6257.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6259.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6263.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6270.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/spc.elf
              Source: spc.elf, 6255.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6257.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6259.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6263.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmp, spc.elf, 6270.1.00007ffd1c3e2000.00007ffd1c403000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: spc.elf, type: SAMPLE
              Source: Yara matchFile source: 6259.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6257.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6263.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6270.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6255.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6257, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6259, type: MEMORYSTR
              Source: Yara matchFile source: spc.elf, type: SAMPLE
              Source: Yara matchFile source: 6259.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6257.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6263.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6270.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6255.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6257, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6259, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6263, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)
              Source: TrafficSuricata IDS: ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)
              Source: Yara matchFile source: spc.elf, type: SAMPLE
              Source: Yara matchFile source: 6259.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6257.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6263.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6270.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6255.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6257, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6259, type: MEMORYSTR
              Source: Yara matchFile source: spc.elf, type: SAMPLE
              Source: Yara matchFile source: 6259.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6257.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6263.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6270.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 6255.1.00007f6368011000.00007f6368020000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6257, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6259, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: spc.elf PID: 6263, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
              File Deletion              		1
              OS Credential Dumping              		11
              Security Software Discovery              		Remote ServicesData from Local System1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
              Application Layer Protocol              		Traffic DuplicationData Destruction

              Malware Configuration

              No configs have been found

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591267 Sample: spc.elf Startdate: 14/01/2025 Architecture: LINUX Score: 100 25 killbaidu.top 119.8.27.105, 44490, 44492, 55650 THINKDREAM-AS-APThinkDreamTechnologyLimitedHK Singapore 2->25 27 109.202.202.202, 80 INIT7CH Switzerland 2->27 29 2 other IPs or domains 2->29 31 Suricata IDS alerts for network traffic 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 4 other signatures 2->37 10 spc.elf 2->10         started        signatures3 process4 signatures5 39 Sample deletes itself 10->39 13 spc.elf 10->13         started        process6 process7 15 spc.elf 13->15         started        17 spc.elf 13->17         started        process8 19 spc.elf 15->19         started        21 spc.elf 15->21         started        process9 23 spc.elf 19->23         started       

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              spc.elf61%ReversingLabsLinux.Trojan.Mirai
              spc.elf60%VirustotalBrowse
              spc.elf100%AviraEXP/ELF.Mirai.Z.A

              Dropped Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              killbaidu.top
              		119.8.27.105
              		truefalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                119.8.27.105
                		killbaidu.topSingapore
                		135026THINKDREAM-AS-APThinkDreamTechnologyLimitedHKfalse
                109.202.202.202
                		unknownSwitzerland
                		13030INIT7CHfalse
                91.189.91.43
                		unknownUnited Kingdom
                		41231CANONICAL-ASGBfalse
                91.189.91.42
                		unknownUnited Kingdom
                		41231CANONICAL-ASGBfalse

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                119.8.27.105m68k.elfGet hashmaliciousMirai, MoobotBrowse
                  x86.elfGet hashmaliciousMirai, MoobotBrowse
                    mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                      arm.elfGet hashmaliciousMirai, MoobotBrowse
                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                        91.189.91.43mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                          main.mpsl.elfGet hashmaliciousMiraiBrowse
                            main.m68k.elfGet hashmaliciousMiraiBrowse
                              bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      bin.elfGet hashmaliciousUnknownBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            91.189.91.42mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                              main.mpsl.elfGet hashmaliciousMiraiBrowse
                                                main.m68k.elfGet hashmaliciousMiraiBrowse
                                                  bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                    bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                      bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            bin.elfGet hashmaliciousUnknownBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                killbaidu.topm68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CANONICAL-ASGBm68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 185.125.190.26
                                                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 91.189.91.42
                                                                main.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                main.m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 91.189.91.42
                                                                bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 91.189.91.42
                                                                bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 185.125.190.26
                                                                bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 185.125.190.26
                                                                bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                CANONICAL-ASGBm68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 185.125.190.26
                                                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 91.189.91.42
                                                                main.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                main.m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 91.189.91.42
                                                                bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 91.189.91.42
                                                                bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 185.125.190.26
                                                                bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 185.125.190.26
                                                                bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                THINKDREAM-AS-APThinkDreamTechnologyLimitedHKm68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 119.8.27.105
                                                                ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 103.206.123.198
                                                                LisectAVT_2403002B_47.exeGet hashmaliciousUnknownBrowse
                                                                • 156.254.126.18
                                                                LisectAVT_2403002B_47.exeGet hashmaliciousUnknownBrowse
                                                                • 156.254.126.18
                                                                4qOdQ3lrYx.elfGet hashmaliciousMiraiBrowse
                                                                • 119.8.28.218
                                                                jhpg1LVUrZ.elfGet hashmaliciousMiraiBrowse
                                                                • 119.8.28.202
                                                                https://link.mail.beehiiv.com/ls/click?upn=u001.AafWW5Nqnbo2z-2BTA50bGEdcgdlKW6veoHg9i0lfVykqgG210mMbY9x6wlCJFem63Ptvb1AhwNnKu2bFWir67u4CZi9kAG27a28kN3PuYedxeUyKmOac6ITo-2BRFaF-2Bd-2Fi2Ixv82DfFvf02BiAI4hE-2B33SFQFo6ls2LdouLvYQ4evOtL64w0kovPYLtYVrx27PXV8C_Brrq8-2Fl00XKb7EalRYiEGmX6heUjj2STeswY-2BsiIt8od5e7wnskh4Flyd2gRfoUQMNxCsUTDSaFM8zPDLSGDGP82i7-2F2T8vItuV5dWHeXDAA5lbmJvOIRHwwHLaZqkTAe-2FUo72xufSnVCNP9jOcjTziRyEgpuuJQJiZBB3fK9Jfw-2BwXqmN7-2Bgu5oQ-2B1xbFghH62g1lHFS1Y4CHHJPc0auTlLsB05ygQ-2FI-2F7sxR9u8jR91M7H-2BbzqUKzs-2BT3ZKLeFEIL3152abEbru7Xm-2FQccrWU8wpYyuMKn02Tn-2B2EMXTmjNNbbalm-2BJ6GnnTdkYphMczl4vx3aqH514BnG-2FxWL6zJOg9p0nIer2lira82L8b5vTqtEzMFFrshInaCk-2FIKuK7IqIBd82nujTq2sahPgOcOQZPE1-2F-2BLJyD2o7TtDkzFXunFRnYrxODO7DLzvTUoA#SZ2JyYWRsZXlAdmNjdW9ubGluZS5uZXQ=&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
                                                                • 156.227.6.70
                                                                INIT7CHmpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 109.202.202.202
                                                                main.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 109.202.202.202
                                                                main.m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 109.202.202.202
                                                                bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 109.202.202.202
                                                                bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 109.202.202.202
                                                                bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                bin.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                No created / dropped files found

                                                                Static File Info

                                                                General

                                                                File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
                                                                Entropy (8bit):6.155666363159286
                                                                TrID:
                                                                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                File name:spc.elf
                                                                File size:59'864 bytes
                                                                MD5:a92e1869bd5d0716e30ea16df527e287
                                                                SHA1:b1a28aa07b3cf572a0b0eb83cf3075808dbc586a
                                                                SHA256:3efd6c4bed8ba71ec37ebf9a2f779589cd2168eb81b1f3fe0eff921b3af76f89
                                                                SHA512:6e5cdec04ca2785a7061da309c4eff02ab923ff9bc40b9786992982b8b405a7aa1a35f02e9f369136881860df985b0cd8b86cda8647339c41a462ec1de5129ee
                                                                SSDEEP:1536:fvf20dYmgHg1We/mrYF6RQW+75MUtydN2A:f20KKG+VM1N2A
                                                                TLSH:93433A31BA760E27C0D1A8B661E74B25B6F543DE26E8CA0B3DB10D9EBF715406503AF4
                                                                File Content Preview:.ELF...........................4...H.....4. ...(.......................................................l..%L........dt.Q................................@..(....@.2:................#.....`...`.....!..... ...@.....".........`......$ ... ...@...........`....

                                                                Static ELF Info

                                                                ELF header

                                                                Class:ELF32
                                                                Data:2's complement, big endian
                                                                Version:1 (current)
                                                                Machine:Sparc
                                                                Version Number:0x1
                                                                Type:EXEC (Executable file)
                                                                OS/ABI:UNIX - System V
                                                                ABI Version:0
                                                                Entry Point Address:0x101a4
                                                                Flags:0x0
                                                                ELF Header Size:52
                                                                Program Header Offset:52
                                                                Program Header Size:32
                                                                Number of Program Headers:3
                                                                Section Header Offset:59464
                                                                Section Header Size:40
                                                                Number of Section Headers:10
                                                                Header String Table Index:9

                                                                Sections

                                                                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                NULL0x00x00x00x00x0000
                                                                .initPROGBITS0x100940x940x1c0x00x6AX004
                                                                .textPROGBITS0x100b00xb00xc9200x00x6AX004
                                                                .finiPROGBITS0x1c9d00xc9d00x140x00x6AX004
                                                                .rodataPROGBITS0x1c9e80xc9e80x1ab00x00x2A008
                                                                .ctorsPROGBITS0x2e49c0xe49c0x80x00x3WA004
                                                                .dtorsPROGBITS0x2e4a40xe4a40x80x00x3WA004
                                                                .dataPROGBITS0x2e4b00xe4b00x3580x00x3WA008
                                                                .bssNOBITS0x2e8080xe8080x21e00x00x3WA008
                                                                .shstrtabSTRTAB0x00xe8080x3e0x00x0001

                                                                Program Segments

                                                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                LOAD0x00x100000x100000xe4980xe4986.19700x5R E0x10000.init .text .fini .rodata
                                                                LOAD0xe49c0x2e49c0x2e49c0x36c0x254c2.65850x6RW 0x10000.ctors .dtors .data .bss
                                                                GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                                Network Behavior

                                                                Download Network PCAP: filteredfull

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-01-14T21:04:01.281638+01002030491ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)1192.168.2.2344490119.8.27.10555650TCP
                                                                2025-01-14T21:04:02.741468+01002030491ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)1192.168.2.2344492119.8.27.10555650TCP

                                                                Network Port Distribution

                                                                • Total Packets: 22
                                                                • 55650 undefined
                                                                • 443 (HTTPS)
                                                                • 80 (HTTP)
                                                                • 53 (DNS)
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 14, 2025 21:03:58.429776907 CET43928443192.168.2.2391.189.91.42
                                                                Jan 14, 2025 21:04:00.217506886 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:01.245306969 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:01.274504900 CET5565044490119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:01.274540901 CET5565044490119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:01.274569988 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:01.274569988 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:01.281637907 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:01.289669991 CET5565044490119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:02.081458092 CET5565044490119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:02.081542969 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:02.081585884 CET5565044490119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:02.085131884 CET4449055650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:02.089924097 CET5565044490119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:02.732944965 CET4449255650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:02.737847090 CET5565044492119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:02.738096952 CET4449255650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:02.741467953 CET4449255650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:02.746306896 CET5565044492119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:03.544066906 CET5565044492119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:03.544131994 CET4449255650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:03.544226885 CET5565044492119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:03.546884060 CET4449255650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:03.549303055 CET4449255650192.168.2.23119.8.27.105
                                                                Jan 14, 2025 21:04:03.553019047 CET5565044492119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:03.555174112 CET5565044492119.8.27.105192.168.2.23
                                                                Jan 14, 2025 21:04:03.804946899 CET42836443192.168.2.2391.189.91.43
                                                                Jan 14, 2025 21:04:05.084788084 CET4251680192.168.2.23109.202.202.202
                                                                Jan 14, 2025 21:04:18.650950909 CET43928443192.168.2.2391.189.91.42
                                                                Jan 14, 2025 21:04:30.937235117 CET42836443192.168.2.2391.189.91.43
                                                                Jan 14, 2025 21:04:35.032668114 CET4251680192.168.2.23109.202.202.202
                                                                Jan 14, 2025 21:04:59.605297089 CET43928443192.168.2.2391.189.91.42
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 14, 2025 21:04:00.200186014 CET3643753192.168.2.238.8.8.8
                                                                Jan 14, 2025 21:04:00.207252979 CET53364378.8.8.8192.168.2.23
                                                                Jan 14, 2025 21:04:02.722695112 CET3693453192.168.2.238.8.8.8
                                                                Jan 14, 2025 21:04:02.729762077 CET53369348.8.8.8192.168.2.23

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 14, 2025 21:04:00.200186014 CET192.168.2.238.8.8.80xabb0Standard query (0)killbaidu.topA (IP address)IN (0x0001)false
                                                                Jan 14, 2025 21:04:02.722695112 CET192.168.2.238.8.8.80xabb0Standard query (0)killbaidu.topA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 14, 2025 21:04:00.207252979 CET8.8.8.8192.168.2.230xabb0No error (0)killbaidu.top119.8.27.105A (IP address)IN (0x0001)false
                                                                Jan 14, 2025 21:04:02.729762077 CET8.8.8.8192.168.2.230xabb0No error (0)killbaidu.top119.8.27.105A (IP address)IN (0x0001)false

                                                                System Behavior

                                                                General

                                                                Start time (UTC):20:03:58
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:/tmp/spc.elf
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                File Activities

                                                                Process Activities

                                                                System Activities

                                                                Network Activities


                                                                General

                                                                Start time (UTC):20:03:58
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:-
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                Process Activities


                                                                General

                                                                Start time (UTC):20:03:58
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:-
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                File Activities

                                                                Process Activities


                                                                General

                                                                Start time (UTC):20:03:58
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:-
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                Process Activities


                                                                General

                                                                Start time (UTC):20:03:58
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:-
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                Process Activities

                                                                Network Activities


                                                                General

                                                                Start time (UTC):20:04:01
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:-
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                Process Activities


                                                                General

                                                                Start time (UTC):20:04:01
                                                                Start date (UTC):14/01/2025
                                                                Path:/tmp/spc.elf
                                                                Arguments:-
                                                                File size:4379400 bytes
                                                                MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                                                                Process Activities

                                                                Network Activities