Edit tour

Linux Analysis Report
boatnet.ppc.elf

Overview

General Information

Sample name:boatnet.ppc.elf
Analysis ID:1617544
MD5:77849bc051d328ff1196fcc392bf5281
SHA1:6e9e6e591cc5c90e203a0cd62718db6d06d0abe0
SHA256:8e22d1223680ae8b0de54121512f11a2023b85336894624380a9282b766a49b6
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1617544
Start date and time:2025-02-18 01:22:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:boatnet.ppc.elf
Detection:MAL
Classification:mal80.spre.troj.evad.linELF@0/0@2/0
Command:/tmp/boatnet.ppc.elf
PID:5435
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • wrapper-2.0 (PID: 5448, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
  • wrapper-2.0 (PID: 5449, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
  • wrapper-2.0 (PID: 5450, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
  • wrapper-2.0 (PID: 5451, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
    • xfpm-power-backlight-helper (PID: 5472, Parent: 5451, MD5: 3d221ad23f28ca3259f599b1664e2427) Arguments: /usr/sbin/xfpm-power-backlight-helper --get-max-brightness
  • wrapper-2.0 (PID: 5452, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
  • wrapper-2.0 (PID: 5453, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
  • xfconfd (PID: 5471, Parent: 5470, MD5: 4c7a0d6d258bb970905b19b84abcd8e9) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  • systemd New Fork (PID: 5481, Parent: 2935)
  • xfce4-notifyd (PID: 5481, Parent: 2935, MD5: eee956f1b227c1d5031f9c61223255d1) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5435.1.00007fed5c007000.00007fed5c00d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x5a54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5acc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5435.1.00007fed5c007000.00007fed5c00d000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
  • 0x5fac:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5442.1.00007fed5c007000.00007fed5c00d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x5a54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5acc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5442.1.00007fed5c007000.00007fed5c00d000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
  • 0x5fac:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
5439.1.00007fed5c007000.00007fed5c00d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x5a54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5acc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 10 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: boatnet.ppc.elfAvira: detected
Source: boatnet.ppc.elfVirustotal: Detection: 52%Perma Link
Source: boatnet.ppc.elfReversingLabs: Detection: 54%
Source: global trafficTCP traffic: 192.168.2.13:44880 -> 196.251.87.222:3778
Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.87.222
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: boatnet.ppc.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443

System Summary

barindex
Source: 5435.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5435.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5442.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5442.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5439.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5439.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: boatnet.ppc.elf PID: 5435, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: boatnet.ppc.elf PID: 5435, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: boatnet.ppc.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: boatnet.ppc.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: boatnet.ppc.elf PID: 5442, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: boatnet.ppc.elf PID: 5442, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3104, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3161, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3162, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3163, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3164, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3165, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3170, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3182, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3208, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3212, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5442, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5448, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5449, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5450, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5451, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5452, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5453, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5471, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5481, result: successfulJump to behavior
Source: LOAD without section mappingsProgram segment: 0x100000
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3104, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3161, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3162, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3163, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3164, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3165, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3170, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3182, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3208, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 3212, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5442, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5448, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5449, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5450, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5451, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5452, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5453, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5471, result: successfulJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)SIGKILL sent: pid: 5481, result: successfulJump to behavior
Source: 5435.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5435.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5442.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5442.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5439.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5439.1.00007fed5c007000.00007fed5c00d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: boatnet.ppc.elf PID: 5435, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: boatnet.ppc.elf PID: 5435, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: boatnet.ppc.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: boatnet.ppc.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: boatnet.ppc.elf PID: 5442, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: boatnet.ppc.elf PID: 5442, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engineClassification label: mal80.spre.troj.evad.linELF@0/0@2/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5448)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5449)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5450)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5451)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/share/fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/local/share/fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /home/saturnino/.fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/share/fonts/X11/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /home/saturnino/.cacheJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /home/saturnino/.localJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Directory: /home/saturnino/.configJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5453)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5471)Directory: /home/saturnino/.cacheJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5471)Directory: /home/saturnino/.localJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5471)Directory: /home/saturnino/.configJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5471)Directory: /home/saturnino/.configJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5481)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5481)Directory: /home/saturnino/.cacheJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5481)Directory: /home/saturnino/.localJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5481)Directory: /home/saturnino/.configJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5384/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5420/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5422/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/518/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/519/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5279/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1748/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3767/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5442/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1482/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1480/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1755/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1238/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1875/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/2964/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3413/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1751/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1872/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/2961/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1475/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/656/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/778/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/657/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/658/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/659/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/418/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/936/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/419/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/816/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1879/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5450/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5451/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5452/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3671/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5453/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5575/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5576/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1891/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3310/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3153/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/780/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/660/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1921/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/783/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1765/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/2974/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1400/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1884/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3424/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/2972/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3147/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/2970/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1881/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3146/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3300/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1805/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5448/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1925/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1804/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/5449/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1648/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1922/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3429/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3442/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3165/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3164/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3163/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3162/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/790/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3161/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/792/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/793/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/672/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1930/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/795/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/674/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/3315/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1411/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/2984/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/1410/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/797/cmdlineJump to behavior
Source: /tmp/boatnet.ppc.elf (PID: 5438)File opened: /proc/676/cmdlineJump to behavior
Source: boatnet.ppc.elfSubmission file: segment LOAD with 7.9091 entropy (max. 8.0)
Source: /tmp/boatnet.ppc.elf (PID: 5435)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5448)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5449)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5450)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5451)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5452)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5453)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5481)Queries kernel information via 'uname': Jump to behavior
Source: boatnet.ppc.elf, 5435.1.000055e83e09b000.000055e83e14b000.rw-.sdmp, boatnet.ppc.elf, 5442.1.000055e83e09b000.000055e83e14b000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: boatnet.ppc.elf, 5439.1.000055e83e09b000.000055e83e14b000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
Source: boatnet.ppc.elf, 5435.1.00007ffd1efb8000.00007ffd1efd9000.rw-.sdmp, boatnet.ppc.elf, 5439.1.00007ffd1efb8000.00007ffd1efd9000.rw-.sdmp, boatnet.ppc.elf, 5442.1.00007ffd1efb8000.00007ffd1efd9000.rw-.sdmpBinary or memory string: Kx86_64/usr/bin/qemu-ppc/tmp/boatnet.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/boatnet.ppc.elf
Source: boatnet.ppc.elf, 5435.1.000055e83e09b000.000055e83e14b000.rw-.sdmp, boatnet.ppc.elf, 5439.1.000055e83e09b000.000055e83e14b000.rw-.sdmp, boatnet.ppc.elf, 5442.1.000055e83e09b000.000055e83e14b000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
Source: boatnet.ppc.elf, 5435.1.00007ffd1efb8000.00007ffd1efd9000.rw-.sdmp, boatnet.ppc.elf, 5439.1.00007ffd1efb8000.00007ffd1efd9000.rw-.sdmp, boatnet.ppc.elf, 5442.1.00007ffd1efb8000.00007ffd1efd9000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

barindex
Source: Yara matchFile source: Process Memory Space: boatnet.ppc.elf PID: 5435, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: boatnet.ppc.elf PID: 5439, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: boatnet.ppc.elf PID: 5442, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara matchFile source: Process Memory Space: boatnet.ppc.elf PID: 5435, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: boatnet.ppc.elf PID: 5439, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: boatnet.ppc.elf PID: 5442, type: MEMORYSTR
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Hidden Files and Directories
1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network Medium1
Service Stop
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617544 Sample: boatnet.ppc.elf Startdate: 18/02/2025 Architecture: LINUX Score: 80 24 196.251.87.222, 3778, 44880, 44882 SONIC-WirelessZA Seychelles 2->24 26 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->26 28 daisy.ubuntu.com 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 7 boatnet.ppc.elf 2->7         started        9 xfce4-panel wrapper-2.0 2->9         started        11 xfce4-panel wrapper-2.0 2->11         started        13 6 other processes 2->13 signatures3 process4 process5 15 boatnet.ppc.elf 7->15         started        18 boatnet.ppc.elf 7->18         started        20 boatnet.ppc.elf 7->20         started        22 wrapper-2.0 xfpm-power-backlight-helper 9->22         started        signatures6 38 Sample tries to kill multiple processes (SIGKILL) 15->38

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
boatnet.ppc.elf52%VirustotalBrowse
boatnet.ppc.elf54%ReversingLabsLinux.Trojan.Mirai
boatnet.ppc.elf100%AviraEXP/ELF.Agent.F.118
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netboatnet.ppc.elffalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      185.125.190.26
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      196.251.87.222
      unknownSeychelles
      37417SONIC-WirelessZAfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      185.125.190.26boatnet.arm.elfGet hashmaliciousMiraiBrowse
        x86_64.elfGet hashmaliciousMirai, MoobotBrowse
          sh4.elfGet hashmaliciousUnknownBrowse
            kre4per.mpsl.elfGet hashmaliciousUnknownBrowse
              kre4per.x86.elfGet hashmaliciousUnknownBrowse
                kre4per.arm7.elfGet hashmaliciousMiraiBrowse
                  sh4.elfGet hashmaliciousUnknownBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      a-r.m-4.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                        m-6.8-k.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                          196.251.87.222boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            daisy.ubuntu.comboatnet.arm.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.24
                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.24
                            arm5.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.25
                            arm6.elfGet hashmaliciousMirai, MoobotBrowse
                            • 162.213.35.24
                            cron.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.25
                            sh.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.24
                            pftp.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.25
                            tftp.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.24
                            sshd.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.24
                            bash.elfGet hashmaliciousGafgyt, MiraiBrowse
                            • 162.213.35.25
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SONIC-WirelessZAboatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                            • 196.251.87.222
                            Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                            • 196.251.2.123
                            splmips.elfGet hashmaliciousUnknownBrowse
                            • 102.22.112.65
                            MYb7GhRJl7.elfGet hashmaliciousMiraiBrowse
                            • 196.251.2.115
                            EcISazR4j2.elfGet hashmaliciousMiraiBrowse
                            • 196.251.2.128
                            b3astmode.x86.elfGet hashmaliciousMiraiBrowse
                            • 196.251.2.126
                            ohqt5Srs7g.elfGet hashmaliciousUnknownBrowse
                            • 196.251.15.240
                            YTigeZAH1MGet hashmaliciousMiraiBrowse
                            • 196.251.2.112
                            Eof8149eFZGet hashmaliciousMiraiBrowse
                            • 196.251.61.39
                            cbr.x86Get hashmaliciousMiraiBrowse
                            • 196.251.2.128
                            CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                            • 91.189.91.42
                            boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                            • 91.189.91.42
                            na.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            .i.elfGet hashmaliciousUnknownBrowse
                            • 91.189.91.42
                            na.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            na.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            na.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            na.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            na.elfGet hashmaliciousPrometeiBrowse
                            • 91.189.91.42
                            No context
                            No context
                            No created / dropped files found
                            File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header
                            Entropy (8bit):7.904652202323118
                            TrID:
                            • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                            • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                            File name:boatnet.ppc.elf
                            File size:21'884 bytes
                            MD5:77849bc051d328ff1196fcc392bf5281
                            SHA1:6e9e6e591cc5c90e203a0cd62718db6d06d0abe0
                            SHA256:8e22d1223680ae8b0de54121512f11a2023b85336894624380a9282b766a49b6
                            SHA512:a570b835adee10b324ff2f436cbcb2d8e59b19f4cac00800ea4a90add4358c98b26dff5c20920a7870d7bcda4ac7a9ae2f38cc266749e68ea702e64103d5ddd1
                            SSDEEP:384:m/JywWc84Tp2YshxqlDeAkSqjGJLeCE5zRW6C5XXBFCiM4uVcqgw05VxJV:mRxsSVsMD6xiJJE5zRWNtXHK4uVcqgwW
                            TLSH:45A2D029D345AEF4DFAF9C909782C2C276B587C62786C8E240EEAF012517046B789D59
                            File Content Preview:.ELF......................B....4.........4. ...(......................Tx..Tx...............D...D...D................dt.Q................................UPX!...........\...\.......R.......?.E.h4...@b............./.}....D*aN.........t.w..X.^6>....d........+

                            ELF header

                            Class:ELF32
                            Data:2's complement, big endian
                            Version:1 (current)
                            Machine:PowerPC
                            Version Number:0x1
                            Type:EXEC (Executable file)
                            OS/ABI:UNIX - Linux
                            ABI Version:0
                            Entry Point Address:0x104290
                            Flags:0x0
                            ELF Header Size:52
                            Program Header Offset:52
                            Program Header Size:32
                            Number of Program Headers:3
                            Section Header Offset:0
                            Section Header Size:40
                            Number of Section Headers:0
                            Header String Table Index:0
                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                            LOAD0x00x1000000x1000000x54780x54787.90910x5R E0x10000
                            LOAD0xd5440x1001d5440x1001d5440x00x00.00000x6RW 0x10000
                            GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                            Download Network PCAP: filteredfull

                            • Total Packets: 52
                            • 3778 undefined
                            • 443 (HTTPS)
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Feb 18, 2025 01:23:05.520503998 CET448803778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:05.526581049 CET377844880196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:05.526662111 CET448803778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:05.543497086 CET448803778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:05.548320055 CET377844880196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:05.548367977 CET448803778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:05.554833889 CET377844880196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.235245943 CET377844880196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.235769987 CET448803778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.235769987 CET448803778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.236493111 CET448823778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.242053986 CET377844882196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.242158890 CET448823778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.243356943 CET448823778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.248886108 CET377844882196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.248944044 CET448823778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.254350901 CET377844882196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.944839954 CET377844882196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.945099115 CET448823778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.945099115 CET448823778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.945940018 CET448843778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.951858997 CET377844884196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.951968908 CET448843778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.952754974 CET448843778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.959076881 CET377844884196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:06.959142923 CET448843778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:06.965729952 CET377844884196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:07.668359995 CET377844884196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:07.668665886 CET448843778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:07.668665886 CET448843778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:07.669331074 CET448863778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:07.674201965 CET377844886196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:07.674391985 CET448863778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:07.675257921 CET448863778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:07.680038929 CET377844886196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:07.680139065 CET448863778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:07.684950113 CET377844886196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:08.362572908 CET377844886196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:08.362696886 CET448863778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:08.362735033 CET448863778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:08.363501072 CET448883778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:08.368410110 CET377844888196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:08.368484020 CET448883778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:08.369287014 CET448883778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:08.374090910 CET377844888196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:08.374146938 CET448883778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:08.378930092 CET377844888196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.054315090 CET377844888196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.054476023 CET448883778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.054537058 CET448883778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.055278063 CET448903778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.060075045 CET377844890196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.060149908 CET448903778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.060962915 CET448903778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.065757990 CET377844890196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.065834999 CET448903778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.070600033 CET377844890196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.759646893 CET377844890196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.759815931 CET448903778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.759872913 CET448903778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.760624886 CET448923778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.765445948 CET377844892196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.765505075 CET448923778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.767178059 CET448923778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.771962881 CET377844892196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:09.772078991 CET448923778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:09.776868105 CET377844892196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:10.458206892 CET377844892196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:10.458441973 CET448923778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:10.458441973 CET448923778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:10.459275961 CET448943778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:10.464118004 CET377844894196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:10.464222908 CET448943778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:10.465230942 CET448943778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:10.470010996 CET377844894196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:10.470050097 CET448943778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:10.474873066 CET377844894196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:11.019849062 CET448943778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:11.025007963 CET377844894196.251.87.222192.168.2.13
                            Feb 18, 2025 01:23:11.025067091 CET448943778192.168.2.13196.251.87.222
                            Feb 18, 2025 01:23:15.571436882 CET48202443192.168.2.13185.125.190.26
                            Feb 18, 2025 01:23:46.547698975 CET48202443192.168.2.13185.125.190.26
                            TimestampSource PortDest PortSource IPDest IP
                            Feb 18, 2025 01:25:50.449100971 CET5697053192.168.2.138.8.8.8
                            Feb 18, 2025 01:25:50.449193001 CET5935353192.168.2.138.8.8.8
                            Feb 18, 2025 01:25:50.455518961 CET53593538.8.8.8192.168.2.13
                            Feb 18, 2025 01:25:50.456091881 CET53569708.8.8.8192.168.2.13
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Feb 18, 2025 01:25:50.449100971 CET192.168.2.138.8.8.80x2846Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                            Feb 18, 2025 01:25:50.449193001 CET192.168.2.138.8.8.80xacf9Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Feb 18, 2025 01:25:50.456091881 CET8.8.8.8192.168.2.130x2846No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                            Feb 18, 2025 01:25:50.456091881 CET8.8.8.8192.168.2.130x2846No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                            System Behavior

                            Start time (UTC):00:23:04
                            Start date (UTC):18/02/2025
                            Path:/tmp/boatnet.ppc.elf
                            Arguments:/tmp/boatnet.ppc.elf
                            File size:5388968 bytes
                            MD5 hash:ae65271c943d3451b7f026d1fadccea6

                            Start time (UTC):00:23:04
                            Start date (UTC):18/02/2025
                            Path:/tmp/boatnet.ppc.elf
                            Arguments:-
                            File size:5388968 bytes
                            MD5 hash:ae65271c943d3451b7f026d1fadccea6

                            Start time (UTC):00:23:04
                            Start date (UTC):18/02/2025
                            Path:/tmp/boatnet.ppc.elf
                            Arguments:-
                            File size:5388968 bytes
                            MD5 hash:ae65271c943d3451b7f026d1fadccea6

                            Start time (UTC):00:23:04
                            Start date (UTC):18/02/2025
                            Path:/tmp/boatnet.ppc.elf
                            Arguments:-
                            File size:5388968 bytes
                            MD5 hash:ae65271c943d3451b7f026d1fadccea6

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/xfce4-panel
                            Arguments:-
                            File size:375768 bytes
                            MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/xfce4-panel
                            Arguments:-
                            File size:375768 bytes
                            MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/xfce4-panel
                            Arguments:-
                            File size:375768 bytes
                            MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/xfce4-panel
                            Arguments:-
                            File size:375768 bytes
                            MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:18
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:-
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:18
                            Start date (UTC):18/02/2025
                            Path:/usr/sbin/xfpm-power-backlight-helper
                            Arguments:/usr/sbin/xfpm-power-backlight-helper --get-max-brightness
                            File size:14656 bytes
                            MD5 hash:3d221ad23f28ca3259f599b1664e2427

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/xfce4-panel
                            Arguments:-
                            File size:375768 bytes
                            MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/xfce4-panel
                            Arguments:-
                            File size:375768 bytes
                            MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                            Start time (UTC):00:23:10
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
                            File size:35136 bytes
                            MD5 hash:ac0b8a906f359a8ae102244738682e76

                            Start time (UTC):00:23:17
                            Start date (UTC):18/02/2025
                            Path:/usr/bin/dbus-daemon
                            Arguments:-
                            File size:249032 bytes
                            MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                            Start time (UTC):00:23:17
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                            File size:112880 bytes
                            MD5 hash:4c7a0d6d258bb970905b19b84abcd8e9

                            Start time (UTC):00:23:22
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/systemd/systemd
                            Arguments:-
                            File size:1620224 bytes
                            MD5 hash:9b2bec7092a40488108543f9334aab75

                            Start time (UTC):00:23:22
                            Start date (UTC):18/02/2025
                            Path:/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
                            Arguments:/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
                            File size:112872 bytes
                            MD5 hash:eee956f1b227c1d5031f9c61223255d1