Edit tour

Linux Analysis Report
boatnet.x86.elf

Overview

General Information

Sample name:boatnet.x86.elf
Analysis ID:1617624
MD5:e77d89e82c4a1ae4107fca98b6843e32
SHA1:e377753c40e14f03a510ec600dc18b5ec91dc5b1
SHA256:d6d0b77b182118e5bef12d8cec462757670159046e1de013d3f38c8ee8001986
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:72
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1617624
Start date and time:2025-02-18 05:37:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:boatnet.x86.elf
Detection:MAL
Classification:mal72.spre.troj.evad.linELF@0/0@0/0
Command:/tmp/boatnet.x86.elf
PID:6233
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • wrapper-2.0 (PID: 6240, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
  • wrapper-2.0 (PID: 6241, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
  • wrapper-2.0 (PID: 6242, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
  • wrapper-2.0 (PID: 6243, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
  • wrapper-2.0 (PID: 6244, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
  • wrapper-2.0 (PID: 6245, Parent: 2063, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
6236.1.0000000008048000.0000000008054000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    6236.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0xa820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa85c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa870:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa884:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa898:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa8ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa8c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa8d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa8e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa8fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa910:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa924:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa938:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa94c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa960:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa974:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa988:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa99c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0xa9b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    6236.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
    • 0xad78:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
    6236.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
    • 0x5990:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
    6236.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_88de437funknownunknown
    • 0x7d02:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
    Click to see the 22 entries
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: boatnet.x86.elfReversingLabs: Detection: 54%
    Source: global trafficTCP traffic: 192.168.2.23:56170 -> 5.83.218.12:3778
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: unknownTCP traffic detected without corresponding DNS query: 5.83.218.12
    Source: boatnet.x86.elfString found in binary or memory: http://upx.sf.net
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

    System Summary

    barindex
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2018, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2077, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2078, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2079, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2080, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2083, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2084, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2114, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2156, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6236, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6240, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6241, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6242, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6243, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6244, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6245, result: successfulJump to behavior
    Source: LOAD without section mappingsProgram segment: 0xc01000
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2018, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2077, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2078, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2079, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2080, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2083, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2084, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2114, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 2156, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6236, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6240, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6241, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6242, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6243, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6244, result: successfulJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)SIGKILL sent: pid: 6245, result: successfulJump to behavior
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
    Source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
    Source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
    Source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
    Source: classification engineClassification label: mal72.spre.troj.evad.linELF@0/0@0/0

    Data Obfuscation

    barindex
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6236/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1582/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2033/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2275/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/3088/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6191/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6194/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1612/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1579/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1699/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1335/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1698/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2028/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1334/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1576/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2302/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/3236/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2025/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2146/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/910/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/4444/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/4445/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/912/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/4446/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/517/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/759/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2307/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/918/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6241/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6240/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6243/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6242/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6245/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6244/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1594/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2285/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2281/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1349/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1623/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/761/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1622/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/884/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1983/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2038/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1344/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1465/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1586/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1463/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2156/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/800/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/801/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1629/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1627/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1900/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/3021/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/491/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2294/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2050/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1877/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/772/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1633/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1599/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1632/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/774/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1477/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/654/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/896/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1476/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1872/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2048/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/655/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1475/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2289/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/656/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/777/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/657/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/658/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/419/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/936/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1639/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1638/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/4505/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2208/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2180/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/6269/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1809/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1494/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1890/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2063/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2062/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1888/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1886/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/420/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1489/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/785/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1642/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/788/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/667/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/789/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/4477/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/1648/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2078/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2077/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2074/cmdlineJump to behavior
    Source: /tmp/boatnet.x86.elf (PID: 6234)File opened: /proc/2195/cmdlineJump to behavior
    Source: boatnet.x86.elfSubmission file: segment LOAD with 7.8484 entropy (max. 8.0)

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 6236.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6233.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 6235.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORY
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
    Obfuscated Files or Information
    1
    OS Credential Dumping
    System Service DiscoveryRemote ServicesData from Local System1
    Encrypted Channel
    Exfiltration Over Other Network Medium1
    Service Stop
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
    Non-Standard Port
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    No configs have been found
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617624 Sample: boatnet.x86.elf Startdate: 18/02/2025 Architecture: LINUX Score: 72 22 109.202.202.202, 80 INIT7CH Switzerland 2->22 24 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->24 26 2 other IPs or domains 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Mirai 2->32 34 Sample is packed with UPX 2->34 7 boatnet.x86.elf 2->7         started        9 xfce4-panel wrapper-2.0 2->9         started        11 xfce4-panel wrapper-2.0 2->11         started        13 4 other processes 2->13 signatures3 process4 process5 15 boatnet.x86.elf 7->15         started        18 boatnet.x86.elf 7->18         started        20 boatnet.x86.elf 7->20         started        signatures6 36 Sample tries to kill multiple processes (SIGKILL) 15->36

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    boatnet.x86.elf54%ReversingLabsLinux.Backdoor.Mirai
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches

    Download Network PCAP: filteredfull

    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netboatnet.x86.elffalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      109.202.202.202
      unknownSwitzerland
      13030INIT7CHfalse
      5.83.218.12
      unknownUnited Kingdom
      51059BRIGHTBOX-ASGBfalse
      91.189.91.43
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      91.189.91.42
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
      • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
      5.83.218.12boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
        boatnet.arm.elfGet hashmaliciousMiraiBrowse
          boatnet.x86.elfGet hashmaliciousMiraiBrowse
            boatnet.arm7.elfGet hashmaliciousMiraiBrowse
              boatnet.arm.elfGet hashmaliciousMiraiBrowse
                boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                  5.83.218.12-boatnet.x86-2025-02-14T10_12_14.elfGet hashmaliciousMiraiBrowse
                    5.83.218.12-boatnet.arm-2025-02-08T08_23_58.elfGet hashmaliciousMiraiBrowse
                      boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                        boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                          91.189.91.43ntpd.elfGet hashmaliciousGafgyt, MiraiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                193.32.162.38-boatnet.arm7-2025-02-18T00_55_21.elfGet hashmaliciousMiraiBrowse
                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                    boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                          boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              91.189.91.42ntpd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                    193.32.162.38-boatnet.arm7-2025-02-18T00_55_21.elfGet hashmaliciousMiraiBrowse
                                                      bin.sh.elfGet hashmaliciousMiraiBrowse
                                                        boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                  No context
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CANONICAL-ASGBntpd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  193.32.162.38-boatnet.arm7-2025-02-18T00_55_21.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 185.125.190.26
                                                                  boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  BRIGHTBOX-ASGBboatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  boatnet.x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  https://account.apscan.orgGet hashmaliciousHTMLPhisherBrowse
                                                                  • 37.230.62.64
                                                                  5.83.218.12-boatnet.x86-2025-02-14T10_12_14.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  5.83.218.12-boatnet.arm-2025-02-08T08_23_58.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.83.218.12
                                                                  CANONICAL-ASGBntpd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  193.32.162.38-boatnet.arm7-2025-02-18T00_55_21.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 185.125.190.26
                                                                  boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  INIT7CHntpd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 109.202.202.202
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 109.202.202.202
                                                                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  193.32.162.38-boatnet.arm7-2025-02-18T00_55_21.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 109.202.202.202
                                                                  boatnet.arm5.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 109.202.202.202
                                                                  No context
                                                                  No context
                                                                  No created / dropped files found
                                                                  File type:ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
                                                                  Entropy (8bit):7.844747431633357
                                                                  TrID:
                                                                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                  File name:boatnet.x86.elf
                                                                  File size:21'492 bytes
                                                                  MD5:e77d89e82c4a1ae4107fca98b6843e32
                                                                  SHA1:e377753c40e14f03a510ec600dc18b5ec91dc5b1
                                                                  SHA256:d6d0b77b182118e5bef12d8cec462757670159046e1de013d3f38c8ee8001986
                                                                  SHA512:0fc18c0ec56f601a810b7499a55b749213ccac6a81041ce21cc9293f24cb9bf81aca9aa3fdd42a05b5a46db966c4eec407fac6eba499cbd8f06aef32264bbaa0
                                                                  SSDEEP:384:M0DLpj8s/qPui8uZxoIA57RWQjJiEVi+ZkXaz1Hb+502F2vwA9B1fKVVXT3SyY:x98o08kxofBE+ZkXaVbp2F2n8VVXZY
                                                                  TLSH:B7A2E018BF1C458BC936393542E9E9C62291EC61F3ACDD595990C05FF5A73997030F85
                                                                  File Content Preview:.ELF.....................Z..4...........4. ...(......................R...R...................G...G..................Q.td................................UPX!....................Y.......w....ELF.......d....g..4...34. (.....[..;;.F.@....'..6..f?..@..>....{?i

                                                                  ELF header

                                                                  Class:ELF32
                                                                  Data:2's complement, little endian
                                                                  Version:1 (current)
                                                                  Machine:Intel 80386
                                                                  Version Number:0x1
                                                                  Type:EXEC (Executable file)
                                                                  OS/ABI:UNIX - Linux
                                                                  ABI Version:0
                                                                  Entry Point Address:0xc05ae8
                                                                  Flags:0x0
                                                                  ELF Header Size:52
                                                                  Program Header Offset:52
                                                                  Program Header Size:32
                                                                  Number of Program Headers:3
                                                                  Section Header Offset:0
                                                                  Section Header Size:40
                                                                  Number of Section Headers:0
                                                                  Header String Table Index:0
                                                                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                  LOAD0x00xc010000xc010000x52f40x52f47.84840x5R E0x1000
                                                                  LOAD0x7a00x80547a00x80547a00x00x00.00000x6RW 0x1000
                                                                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                                  Download Network PCAP: filteredfull

                                                                  • Total Packets: 73
                                                                  • 3778 undefined
                                                                  • 443 (HTTPS)
                                                                  • 80 (HTTP)
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Feb 18, 2025 05:37:58.335881948 CET43928443192.168.2.2391.189.91.42
                                                                  Feb 18, 2025 05:37:58.561665058 CET561703778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:58.566831112 CET3778561705.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:58.566903114 CET561703778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:58.566931963 CET561703778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:58.572859049 CET3778561705.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:58.572906017 CET561703778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:58.579138041 CET3778561705.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.166426897 CET3778561705.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.166675091 CET561703778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.166704893 CET561703778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.166719913 CET561723778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.171794891 CET3778561725.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.171854973 CET561723778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.171881914 CET561723778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.176861048 CET3778561725.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.176911116 CET561723778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.182179928 CET3778561725.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.769509077 CET3778561725.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.769783974 CET561723778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.769783974 CET561723778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.769783974 CET561743778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.774653912 CET3778561745.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.774701118 CET561743778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.774722099 CET561743778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.779525995 CET3778561745.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:37:59.779567957 CET561743778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:37:59.784317017 CET3778561745.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.365744114 CET3778561745.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.365890980 CET561743778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.365928888 CET561743778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.365962029 CET561763778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.370827913 CET3778561765.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.370949984 CET561763778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.370949984 CET561763778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.375850916 CET3778561765.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.375916004 CET561763778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.380709887 CET3778561765.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.960455894 CET3778561765.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.960639000 CET561763778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.960761070 CET561763778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.960834026 CET561783778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.965647936 CET3778561785.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.965751886 CET561783778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.965802908 CET561783778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.970621109 CET3778561785.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:00.970694065 CET561783778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:00.975573063 CET3778561785.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:01.556534052 CET3778561785.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:01.556745052 CET561783778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:01.556746006 CET561783778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:01.556799889 CET561803778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:01.561716080 CET3778561805.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:01.561853886 CET561803778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:01.561918020 CET561803778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:01.566726923 CET3778561805.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:01.566803932 CET561803778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:01.571590900 CET3778561805.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.180547953 CET3778561805.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.180666924 CET561803778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.180752039 CET561803778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.180790901 CET561823778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.185715914 CET3778561825.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.185805082 CET561823778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.185853004 CET561823778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.191063881 CET3778561825.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.191148996 CET561823778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.196027040 CET3778561825.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.784316063 CET3778561825.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.784447908 CET561823778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.784526110 CET561823778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.784528017 CET561843778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.789356947 CET3778561845.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.789437056 CET561843778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.789437056 CET561843778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.794310093 CET3778561845.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:02.794377089 CET561843778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:02.799163103 CET3778561845.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.377867937 CET3778561845.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.378042936 CET561843778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.378093004 CET561843778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.378118992 CET561863778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.382849932 CET3778561865.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.382941961 CET561863778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.382941961 CET561863778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.387732029 CET3778561865.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.387856007 CET561863778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.392625093 CET3778561865.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.711091995 CET42836443192.168.2.2391.189.91.43
                                                                  Feb 18, 2025 05:38:03.984515905 CET3778561865.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.984623909 CET561863778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.984623909 CET561863778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.984666109 CET561883778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.990508080 CET3778561885.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.990569115 CET561883778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.990617990 CET561883778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:03.995409966 CET3778561885.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:03.995460987 CET561883778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.000224113 CET3778561885.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:04.584794044 CET3778561885.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:04.584858894 CET561883778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.584892988 CET561883778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.584949017 CET561903778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.589771986 CET3778561905.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:04.589842081 CET561903778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.590082884 CET561903778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.594834089 CET3778561905.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:04.594881058 CET561903778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.601582050 CET3778561905.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:04.630796909 CET561903778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:04.687511921 CET3778561905.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:05.018328905 CET3778561905.83.218.12192.168.2.23
                                                                  Feb 18, 2025 05:38:05.018450975 CET561903778192.168.2.235.83.218.12
                                                                  Feb 18, 2025 05:38:05.503051996 CET4251680192.168.2.23109.202.202.202
                                                                  Feb 18, 2025 05:38:18.301197052 CET43928443192.168.2.2391.189.91.42
                                                                  Feb 18, 2025 05:38:30.587532997 CET42836443192.168.2.2391.189.91.43
                                                                  Feb 18, 2025 05:38:36.730617046 CET4251680192.168.2.23109.202.202.202
                                                                  Feb 18, 2025 05:38:59.255728960 CET43928443192.168.2.2391.189.91.42

                                                                  System Behavior

                                                                  Start time (UTC):04:37:57
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/tmp/boatnet.x86.elf
                                                                  Arguments:/tmp/boatnet.x86.elf
                                                                  File size:21492 bytes
                                                                  MD5 hash:e77d89e82c4a1ae4107fca98b6843e32

                                                                  Start time (UTC):04:37:57
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/tmp/boatnet.x86.elf
                                                                  Arguments:-
                                                                  File size:21492 bytes
                                                                  MD5 hash:e77d89e82c4a1ae4107fca98b6843e32

                                                                  Start time (UTC):04:37:57
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/tmp/boatnet.x86.elf
                                                                  Arguments:-
                                                                  File size:21492 bytes
                                                                  MD5 hash:e77d89e82c4a1ae4107fca98b6843e32

                                                                  Start time (UTC):04:37:57
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/tmp/boatnet.x86.elf
                                                                  Arguments:-
                                                                  File size:21492 bytes
                                                                  MD5 hash:e77d89e82c4a1ae4107fca98b6843e32
                                                                  Start time (UTC):04:38:02
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/bin/xfce4-panel
                                                                  Arguments:-
                                                                  File size:375768 bytes
                                                                  MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                                                  Start time (UTC):04:38:02
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                                                                  Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
                                                                  File size:35136 bytes
                                                                  MD5 hash:ac0b8a906f359a8ae102244738682e76

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/bin/xfce4-panel
                                                                  Arguments:-
                                                                  File size:375768 bytes
                                                                  MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                                                                  Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
                                                                  File size:35136 bytes
                                                                  MD5 hash:ac0b8a906f359a8ae102244738682e76

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/bin/xfce4-panel
                                                                  Arguments:-
                                                                  File size:375768 bytes
                                                                  MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                                                                  Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
                                                                  File size:35136 bytes
                                                                  MD5 hash:ac0b8a906f359a8ae102244738682e76

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/bin/xfce4-panel
                                                                  Arguments:-
                                                                  File size:375768 bytes
                                                                  MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                                                                  Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
                                                                  File size:35136 bytes
                                                                  MD5 hash:ac0b8a906f359a8ae102244738682e76

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/bin/xfce4-panel
                                                                  Arguments:-
                                                                  File size:375768 bytes
                                                                  MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                                                                  Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
                                                                  File size:35136 bytes
                                                                  MD5 hash:ac0b8a906f359a8ae102244738682e76

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/bin/xfce4-panel
                                                                  Arguments:-
                                                                  File size:375768 bytes
                                                                  MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                                                  Start time (UTC):04:38:03
                                                                  Start date (UTC):18/02/2025
                                                                  Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                                                                  Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
                                                                  File size:35136 bytes
                                                                  MD5 hash:ac0b8a906f359a8ae102244738682e76