Edit tour

Linux Analysis Report
i686.elf

Overview

General Information

Sample name:i686.elf
Analysis ID:1619180
MD5:33035ce545aeca7452edab105f2177d2
SHA1:24c0f08c09f934ba5b12ff4819372f635cb5c084
SHA256:c4a3a163977fab408cb8d7e57fd31b26a16da129c946e067912160b68bd1a77e
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:80
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Performs DNS TXT record lookups
Sample reads /proc/mounts (often used for finding a writable filesystem)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1619180
Start date and time:2025-02-19 16:42:24 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 0s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i686.elf
Detection:MAL
Classification:mal80.troj.evad.linELF@0/0@3/0
  • VT rate limit hit for: lib.libre
Command:/tmp/i686.elf
PID:6231
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life
Standard Error:
  • system is lnxubuntu20
  • i686.elf (PID: 6231, Parent: 6147, MD5: 33035ce545aeca7452edab105f2177d2) Arguments: /tmp/i686.elf
    • i686.elf New Fork (PID: 6233, Parent: 6231)
    • i686.elf New Fork (PID: 6234, Parent: 6231)
    • i686.elf New Fork (PID: 6252, Parent: 6231)
    • i686.elf New Fork (PID: 6301, Parent: 6231)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
i686.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    i686.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
    • 0xdc74:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
    i686.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
    • 0xe463:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
    i686.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
    • 0xa74e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    • 0xa8b0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    i686.elfLinux_Trojan_Gafgyt_d996d335unknownunknown
    • 0x10dda:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
    Click to see the 3 entries
    SourceRuleDescriptionAuthorStrings
    6252.1.0000000000400000.0000000000415000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6252.1.0000000000400000.0000000000415000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
      • 0xdc74:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
      6252.1.0000000000400000.0000000000415000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
      • 0xe463:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
      6252.1.0000000000400000.0000000000415000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
      • 0xa74e:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      • 0xa8b0:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      6252.1.0000000000400000.0000000000415000.r-x.sdmpLinux_Trojan_Gafgyt_d996d335unknownunknown
      • 0x10dda:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
      Click to see the 11 entries
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: i686.elfReversingLabs: Detection: 34%

      Networking

      barindex
      Source: global trafficTCP traffic: 64.23.188.144 ports 0,1,2,8,9,10298
      Source: unknownDNS query: name: stun.l.google.com
      Source: global trafficTCP traffic: 192.168.2.23:56448 -> 64.23.188.144:10298
      Source: global trafficUDP traffic: 192.168.2.23:51781 -> 74.125.250.129:19302
      Source: /tmp/i686.elf (PID: 6231)Socket: 127.0.0.1:43478Jump to behavior
      Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
      Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
      Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 154.40.24.23
      Source: unknownTCP traffic detected without corresponding DNS query: 154.40.24.23
      Source: unknownTCP traffic detected without corresponding DNS query: 220.176.241.21
      Source: unknownTCP traffic detected without corresponding DNS query: 70.103.100.19
      Source: unknownTCP traffic detected without corresponding DNS query: 220.176.241.21
      Source: unknownTCP traffic detected without corresponding DNS query: 70.103.100.19
      Source: unknownTCP traffic detected without corresponding DNS query: 12.103.252.200
      Source: unknownTCP traffic detected without corresponding DNS query: 12.103.252.200
      Source: unknownTCP traffic detected without corresponding DNS query: 212.75.95.238
      Source: unknownTCP traffic detected without corresponding DNS query: 212.75.95.238
      Source: unknownTCP traffic detected without corresponding DNS query: 12.103.252.200
      Source: unknownTCP traffic detected without corresponding DNS query: 212.75.95.238
      Source: unknownTCP traffic detected without corresponding DNS query: 70.103.100.19
      Source: unknownTCP traffic detected without corresponding DNS query: 220.176.241.21
      Source: unknownTCP traffic detected without corresponding DNS query: 154.40.24.23
      Source: unknownTCP traffic detected without corresponding DNS query: 12.103.252.200
      Source: unknownTCP traffic detected without corresponding DNS query: 70.103.100.19
      Source: unknownTCP traffic detected without corresponding DNS query: 154.40.24.23
      Source: unknownTCP traffic detected without corresponding DNS query: 212.75.95.238
      Source: unknownTCP traffic detected without corresponding DNS query: 220.176.241.21
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: unknownTCP traffic detected without corresponding DNS query: 64.23.188.144
      Source: global trafficDNS traffic detected: DNS query: lib.libre
      Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

      System Summary

      barindex
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: classification engineClassification label: mal80.troj.evad.linELF@0/0@3/0

      Persistence and Installation Behavior

      barindex
      Source: /tmp/i686.elf (PID: 6231)File: /proc/6231/mountsJump to behavior
      Source: /tmp/i686.elf (PID: 6233)File: /proc/6233/mountsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/6231/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/6231/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2033/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2033/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2033/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1582/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1582/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1582/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2275/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2275/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2275/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1612/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1579/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1579/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1579/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1699/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1699/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1699/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1335/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1335/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1335/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1698/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1698/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1698/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2028/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1334/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1334/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1334/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1576/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2302/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2302/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2302/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/3236/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/3236/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/3236/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2025/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2025/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2025/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2146/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2146/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2146/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/912/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/759/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/759/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/759/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2307/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2307/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2307/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/918/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1594/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1594/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1594/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2285/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2285/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2285/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2281/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2281/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2281/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1349/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1349/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1349/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1623/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1623/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1623/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/761/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/761/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/761/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1622/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1622/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1622/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/884/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1983/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2038/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2038/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2038/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1586/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1586/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1586/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1465/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1465/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1465/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1344/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1860/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1860/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1860/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1463/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1463/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1463/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2156/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2156/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/2156/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/800/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/801/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1629/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1629/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1629/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1627/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1627/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1627/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/1900/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/491/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/491/statusJump to behavior
      Source: /tmp/i686.elf (PID: 6231)File opened: /proc/491/cmdlineJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: TrafficDNS traffic detected: queries for: lib.libre
      Source: TrafficDNS traffic detected: queries for: lib.libre

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: i686.elf, type: SAMPLE
      Source: Yara matchFile source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: i686.elf, type: SAMPLE
      Source: Yara matchFile source: 6252.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 6231.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
      OS Credential Dumping
      1
      File and Directory Discovery
      Remote ServicesData from Local System1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Non-Standard Port
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
      Application Layer Protocol
      Traffic DuplicationData Destruction
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619180 Sample: i686.elf Startdate: 19/02/2025 Architecture: LINUX Score: 80 19 lib.libre 2->19 21 stun.l.google.com 2->21 23 10 other IPs or domains 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Mirai 2->29 31 Connects to many ports of the same IP (likely port scanning) 2->31 7 i686.elf 2->7         started        signatures3 33 Performs DNS TXT record lookups 19->33 35 Uses STUN server to do NAT traversial 21->35 process4 signatures5 37 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->37 10 i686.elf 7->10         started        13 i686.elf 7->13         started        15 i686.elf 7->15         started        17 i686.elf 7->17         started        process6 signatures7 39 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->39
      SourceDetectionScannerLabelLink
      i686.elf34%ReversingLabsLinux.Backdoor.Gafgyt
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      stun.l.google.com
      74.125.250.129
      truefalse
        high
        lib.libre
        unknown
        unknowntrue
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          154.40.24.23
          unknownUnited States
          174COGENT-174USfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          220.176.241.21
          unknownChina
          4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
          212.75.95.238
          unknownSweden
          2119TELENOR-NEXTELTelenorNorgeASNOfalse
          12.103.252.200
          unknownUnited States
          7018ATT-INTERNET4USfalse
          70.103.100.19
          unknownUnited States
          7385ALLSTREAMUSfalse
          64.23.188.144
          unknownUnited States
          3064AFFINITY-FTLUStrue
          74.125.250.129
          stun.l.google.comUnited States
          15169GOOGLEUSfalse
          91.189.91.43
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
          • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
          64.23.188.144i686.elfGet hashmaliciousUnknownBrowse
            i686.elfGet hashmaliciousUnknownBrowse
              i686.elfGet hashmaliciousUnknownBrowse
                na.elfGet hashmaliciousUnknownBrowse
                  i686.elfGet hashmaliciousUnknownBrowse
                    na.elfGet hashmaliciousUnknownBrowse
                      91.189.91.43arm5.elfGet hashmaliciousMiraiBrowse
                        arm6.elfGet hashmaliciousMiraiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                na.elfGet hashmaliciousPrometeiBrowse
                                  b6.elfGet hashmaliciousUnknownBrowse
                                    b3.elfGet hashmaliciousUnknownBrowse
                                      b1.elfGet hashmaliciousUnknownBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          91.189.91.42arm5.elfGet hashmaliciousMiraiBrowse
                                            arm6.elfGet hashmaliciousMiraiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      b6.elfGet hashmaliciousUnknownBrowse
                                                        b3.elfGet hashmaliciousUnknownBrowse
                                                          b1.elfGet hashmaliciousUnknownBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CHINANET-BACKBONENo31Jin-rongStreetCNSecuriteInfo.com.FileRepMalware.22603.20935.exeGet hashmaliciousUnknownBrowse
                                                              • 222.211.226.110
                                                              zteGet hashmaliciousUnknownBrowse
                                                              • 110.178.251.236
                                                              z3hir.x86Get hashmaliciousMiraiBrowse
                                                              • 60.189.236.199
                                                              Hilix.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 202.109.142.112
                                                              Hilix.sh4.elfGet hashmaliciousUnknownBrowse
                                                              • 171.95.182.160
                                                              Hilix.x86.elfGet hashmaliciousUnknownBrowse
                                                              • 59.175.154.149
                                                              Hilix.arm7.elfGet hashmaliciousMiraiBrowse
                                                              • 49.82.207.112
                                                              res.mips.elfGet hashmaliciousUnknownBrowse
                                                              • 218.84.206.217
                                                              Hilix.spc.elfGet hashmaliciousUnknownBrowse
                                                              • 27.144.168.230
                                                              Hilix.m68k.elfGet hashmaliciousUnknownBrowse
                                                              • 121.8.97.202
                                                              INIT7CHarm5.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              arm6.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 109.202.202.202
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 109.202.202.202
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 109.202.202.202
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 109.202.202.202
                                                              b6.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              b3.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              b1.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                              • 109.202.202.202
                                                              COGENT-174USQUOTATION_JANQUOTE312025#U00faPDF.scrGet hashmaliciousUnknownBrowse
                                                              • 23.237.50.106
                                                              Order confirmation.exeGet hashmaliciousFormBookBrowse
                                                              • 154.23.184.218
                                                              SOA OF DEC 2024 PT.BINEX.exeGet hashmaliciousFormBookBrowse
                                                              • 149.104.35.122
                                                              https://consulteoseulimite.online/shopee/Get hashmaliciousUnknownBrowse
                                                              • 143.244.185.131
                                                              https://adminatttse0n.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                              • 38.98.69.175
                                                              zteGet hashmaliciousUnknownBrowse
                                                              • 38.50.252.97
                                                              Yboats.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 23.154.10.200
                                                              Quotation.exeGet hashmaliciousFormBookBrowse
                                                              • 149.104.184.89
                                                              Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                                              • 143.244.220.80
                                                              PO.exeGet hashmaliciousFormBookBrowse
                                                              • 38.11.157.207
                                                              TELENOR-NEXTELTelenorNorgeASNOzteGet hashmaliciousUnknownBrowse
                                                              • 88.92.22.203
                                                              Yboats.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 178.30.28.83
                                                              Hilix.mpsl.elfGet hashmaliciousUnknownBrowse
                                                              • 193.215.185.162
                                                              armv6l.elfGet hashmaliciousUnknownBrowse
                                                              • 84.202.207.217
                                                              res.sh4.elfGet hashmaliciousUnknownBrowse
                                                              • 157.237.144.218
                                                              armv4l.elfGet hashmaliciousUnknownBrowse
                                                              • 62.92.24.83
                                                              armv6l.elfGet hashmaliciousUnknownBrowse
                                                              • 77.16.153.208
                                                              Hilix.m68k.elfGet hashmaliciousMiraiBrowse
                                                              • 146.173.30.182
                                                              res.mpsl.elfGet hashmaliciousUnknownBrowse
                                                              • 213.214.202.195
                                                              res.mips.elfGet hashmaliciousUnknownBrowse
                                                              • 85.164.242.110
                                                              No context
                                                              No context
                                                              No created / dropped files found
                                                              File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                                              Entropy (8bit):6.114546793288269
                                                              TrID:
                                                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                              File name:i686.elf
                                                              File size:88'768 bytes
                                                              MD5:33035ce545aeca7452edab105f2177d2
                                                              SHA1:24c0f08c09f934ba5b12ff4819372f635cb5c084
                                                              SHA256:c4a3a163977fab408cb8d7e57fd31b26a16da129c946e067912160b68bd1a77e
                                                              SHA512:ca2430560516a1e68812259cc57d67b4ca47dc0d9039e490c5100c9da110b25b5a56bc72a09efcacefdf51546e1bd104692bb97e7f2ca796badc7fa66169ea19
                                                              SSDEEP:1536:B39/ggQxmYmoUV3ZuQijyiR3LD344wrivdiPZb58QPN/lrq1n:jymYmoUVJiyituWvdiV588/lrq1
                                                              TLSH:0B833A03B5C08CFED896C2744FAEA136D662F0AD2235716B27D0BE216F5EE111F1B568
                                                              File Content Preview:.ELF..............>.......@.....@.......@H..........@.8...@.......................@.......@......B.......B.......................B.......BQ......BQ.....H.......0p..............Q.td....................................................H...._....*...H........

                                                              ELF header

                                                              Class:ELF64
                                                              Data:2's complement, little endian
                                                              Version:1 (current)
                                                              Machine:Advanced Micro Devices X86-64
                                                              Version Number:0x1
                                                              Type:EXEC (Executable file)
                                                              OS/ABI:UNIX - System V
                                                              ABI Version:0
                                                              Entry Point Address:0x400194
                                                              Flags:0x0
                                                              ELF Header Size:64
                                                              Program Header Offset:64
                                                              Program Header Size:56
                                                              Number of Program Headers:3
                                                              Section Header Offset:84032
                                                              Section Header Size:64
                                                              Number of Section Headers:10
                                                              Header String Table Index:9
                                                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                              NULL0x00x00x00x00x0000
                                                              .initPROGBITS0x4000e80xe80x130x00x6AX001
                                                              .textPROGBITS0x4001000x1000x111560x00x6AX0016
                                                              .finiPROGBITS0x4112560x112560xe0x00x6AX001
                                                              .rodataPROGBITS0x4112800x112800x30300x00x2A0032
                                                              .ctorsPROGBITS0x5142b80x142b80x100x00x3WA008
                                                              .dtorsPROGBITS0x5142c80x142c80x100x00x3WA008
                                                              .dataPROGBITS0x5142e00x142e00x5200x00x3WA0032
                                                              .bssNOBITS0x5148000x148000x6ae80x00x3WA0032
                                                              .shstrtabSTRTAB0x00x148000x3e0x00x0001
                                                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                              LOAD0x00x4000000x4000000x142b00x142b06.37040x5R E0x100000.init .text .fini .rodata
                                                              LOAD0x142b80x5142b80x5142b80x5480x70302.38310x6RW 0x100000.ctors .dtors .data .bss
                                                              GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                                              Download Network PCAP: filteredfull

                                                              • Total Packets: 67
                                                              • 19302 undefined
                                                              • 10298 undefined
                                                              • 443 (HTTPS)
                                                              • 80 (HTTP)
                                                              • 53 (DNS)
                                                              • 23 (Telnet)
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Feb 19, 2025 16:43:06.239919901 CET43928443192.168.2.2391.189.91.42
                                                              Feb 19, 2025 16:43:06.808532953 CET4703823192.168.2.23154.40.24.23
                                                              Feb 19, 2025 16:43:06.813736916 CET2347038154.40.24.23192.168.2.23
                                                              Feb 19, 2025 16:43:06.813910007 CET4703823192.168.2.23154.40.24.23
                                                              Feb 19, 2025 16:43:06.841527939 CET4297423192.168.2.23220.176.241.21
                                                              Feb 19, 2025 16:43:06.846086979 CET6023623192.168.2.2370.103.100.19
                                                              Feb 19, 2025 16:43:06.846559048 CET2342974220.176.241.21192.168.2.23
                                                              Feb 19, 2025 16:43:06.846620083 CET4297423192.168.2.23220.176.241.21
                                                              Feb 19, 2025 16:43:06.851067066 CET236023670.103.100.19192.168.2.23
                                                              Feb 19, 2025 16:43:06.851232052 CET6023623192.168.2.2370.103.100.19
                                                              Feb 19, 2025 16:43:06.853027105 CET3821223192.168.2.2312.103.252.200
                                                              Feb 19, 2025 16:43:06.858968973 CET233821212.103.252.200192.168.2.23
                                                              Feb 19, 2025 16:43:06.859009027 CET3821223192.168.2.2312.103.252.200
                                                              Feb 19, 2025 16:43:06.871018887 CET4000823192.168.2.23212.75.95.238
                                                              Feb 19, 2025 16:43:06.875971079 CET2340008212.75.95.238192.168.2.23
                                                              Feb 19, 2025 16:43:06.876049995 CET4000823192.168.2.23212.75.95.238
                                                              Feb 19, 2025 16:43:06.903052092 CET3821223192.168.2.2312.103.252.200
                                                              Feb 19, 2025 16:43:06.903053999 CET4000823192.168.2.23212.75.95.238
                                                              Feb 19, 2025 16:43:06.903053999 CET6023623192.168.2.2370.103.100.19
                                                              Feb 19, 2025 16:43:06.903063059 CET4297423192.168.2.23220.176.241.21
                                                              Feb 19, 2025 16:43:06.903074026 CET4703823192.168.2.23154.40.24.23
                                                              Feb 19, 2025 16:43:06.908132076 CET233821212.103.252.200192.168.2.23
                                                              Feb 19, 2025 16:43:06.908242941 CET3821223192.168.2.2312.103.252.200
                                                              Feb 19, 2025 16:43:06.908274889 CET2340008212.75.95.238192.168.2.23
                                                              Feb 19, 2025 16:43:06.908282042 CET236023670.103.100.19192.168.2.23
                                                              Feb 19, 2025 16:43:06.908286095 CET2347038154.40.24.23192.168.2.23
                                                              Feb 19, 2025 16:43:06.908291101 CET2342974220.176.241.21192.168.2.23
                                                              Feb 19, 2025 16:43:06.908313990 CET6023623192.168.2.2370.103.100.19
                                                              Feb 19, 2025 16:43:06.908314943 CET4703823192.168.2.23154.40.24.23
                                                              Feb 19, 2025 16:43:06.908356905 CET4000823192.168.2.23212.75.95.238
                                                              Feb 19, 2025 16:43:06.908369064 CET4297423192.168.2.23220.176.241.21
                                                              Feb 19, 2025 16:43:08.904047966 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:08.909066916 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:08.909147978 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:09.488562107 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:09.488626003 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:09.581159115 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:09.581217051 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:11.619059086 CET42836443192.168.2.2391.189.91.43
                                                              Feb 19, 2025 16:43:12.638926029 CET4251680192.168.2.23109.202.202.202
                                                              Feb 19, 2025 16:43:13.540966034 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:13.546540976 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:23.549429893 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:23.554744959 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:23.554845095 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:23.559951067 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:27.228972912 CET43928443192.168.2.2391.189.91.42
                                                              Feb 19, 2025 16:43:36.731590986 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:36.736733913 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:36.736816883 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:43:36.741940975 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:37.467449903 CET42836443192.168.2.2391.189.91.43
                                                              Feb 19, 2025 16:43:43.610629082 CET4251680192.168.2.23109.202.202.202
                                                              Feb 19, 2025 16:43:50.870881081 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:43:50.870959997 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:00.876193047 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:00.881217003 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:00.881303072 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:00.887028933 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:08.183211088 CET43928443192.168.2.2391.189.91.42
                                                              Feb 19, 2025 16:44:15.570141077 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:15.575372934 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:15.575423002 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:15.580568075 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:28.660288095 CET42836443192.168.2.2391.189.91.43
                                                              Feb 19, 2025 16:44:30.576076984 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:30.581212997 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:30.581269979 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:30.586298943 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:45.582096100 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:45.587328911 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:44:45.587420940 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:44:45.592541933 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:00.143996000 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:00.149097919 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:00.149152040 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:00.155272007 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:01.896770000 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:01.896876097 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:14.897958040 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:14.903242111 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:14.903326988 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:14.908333063 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:28.800040007 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:28.805119991 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:28.805244923 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:28.810512066 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:41.361053944 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:41.366153955 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:41.366219997 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:41.371212006 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:54.778991938 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:54.784132004 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:45:54.784204960 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:45:54.789210081 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:08.466439962 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:08.473768950 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:08.473882914 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:08.478977919 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:22.140077114 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:22.145169020 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:22.145215988 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:22.150268078 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:23.922230959 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:23.922358036 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:36.218687057 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:36.223843098 CET102985644864.23.188.144192.168.2.23
                                                              Feb 19, 2025 16:46:36.223952055 CET5644810298192.168.2.2364.23.188.144
                                                              Feb 19, 2025 16:46:36.229091883 CET102985644864.23.188.144192.168.2.23
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Feb 19, 2025 16:43:06.864604950 CET4194553192.168.2.23192.3.165.37
                                                              Feb 19, 2025 16:43:08.895504951 CET3723253192.168.2.23130.61.64.122
                                                              Feb 19, 2025 16:43:08.902905941 CET5337232130.61.64.122192.168.2.23
                                                              Feb 19, 2025 16:43:09.909574986 CET3966053192.168.2.238.8.8.8
                                                              Feb 19, 2025 16:43:09.924650908 CET53396608.8.8.8192.168.2.23
                                                              Feb 19, 2025 16:43:09.924794912 CET5178119302192.168.2.2374.125.250.129
                                                              Feb 19, 2025 16:43:10.392249107 CET193025178174.125.250.129192.168.2.23
                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Feb 19, 2025 16:43:06.864604950 CET192.168.2.23192.3.165.370xb137Standard query (0)lib.libre16IN (0x0001)false
                                                              Feb 19, 2025 16:43:08.895504951 CET192.168.2.23130.61.64.1220x906dStandard query (0)lib.libre16IN (0x0001)false
                                                              Feb 19, 2025 16:43:09.909574986 CET192.168.2.238.8.8.80x47aeStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Feb 19, 2025 16:43:08.902905941 CET130.61.64.122192.168.2.230x906dNo error (0)lib.libreTXT (Text strings)IN (0x0001)false
                                                              Feb 19, 2025 16:43:09.924650908 CET8.8.8.8192.168.2.230x47aeNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                                                              System Behavior

                                                              Start time (UTC):15:43:04
                                                              Start date (UTC):19/02/2025
                                                              Path:/tmp/i686.elf
                                                              Arguments:/tmp/i686.elf
                                                              File size:88768 bytes
                                                              MD5 hash:33035ce545aeca7452edab105f2177d2

                                                              Start time (UTC):15:43:05
                                                              Start date (UTC):19/02/2025
                                                              Path:/tmp/i686.elf
                                                              Arguments:-
                                                              File size:88768 bytes
                                                              MD5 hash:33035ce545aeca7452edab105f2177d2

                                                              Start time (UTC):15:43:05
                                                              Start date (UTC):19/02/2025
                                                              Path:/tmp/i686.elf
                                                              Arguments:-
                                                              File size:88768 bytes
                                                              MD5 hash:33035ce545aeca7452edab105f2177d2

                                                              Start time (UTC):15:43:05
                                                              Start date (UTC):19/02/2025
                                                              Path:/tmp/i686.elf
                                                              Arguments:-
                                                              File size:88768 bytes
                                                              MD5 hash:33035ce545aeca7452edab105f2177d2

                                                              Start time (UTC):15:43:06
                                                              Start date (UTC):19/02/2025
                                                              Path:/tmp/i686.elf
                                                              Arguments:-
                                                              File size:88768 bytes
                                                              MD5 hash:33035ce545aeca7452edab105f2177d2