Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1622987
MD5:ed6cc73153ecd719a1da34916f219508
SHA1:f214060a1ab0640ae4302d6ab2d23c50d3f7e39f
SHA256:70a6afc7a379a718088f1aa68dcd3eb8e0e53adfc3393dadfbb9eb484ac86a5a
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1622987
Start date and time:2025-02-24 19:06:25 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0
Command:/tmp/arm6.elf
PID:5423
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • arm6.elf (PID: 5423, Parent: 5346, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
  • dash New Fork (PID: 5492, Parent: 3585)
  • rm (PID: 5492, Parent: 3585, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.4yEsI2x4W3 /tmp/tmp.wUHZUuwH7V /tmp/tmp.41tvO0c3b8
  • dash New Fork (PID: 5493, Parent: 3585)
  • rm (PID: 5493, Parent: 3585, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.4yEsI2x4W3 /tmp/tmp.wUHZUuwH7V /tmp/tmp.41tvO0c3b8
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
arm6.elfJoeSecurity_Mirai_5Yara detected MiraiJoe Security
    arm6.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      arm6.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x15994:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x159a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x159bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x159d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x159e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x159f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15aac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15afc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      arm6.elfMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
      • 0x15914:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
      SourceRuleDescriptionAuthorStrings
      5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
        5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x15994:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x159a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x159bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x159d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x159e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x159f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15aac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ac0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ad4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ae8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15afc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmpMAL_ELF_LNX_Mirai_Oct10_2Detects ELF malware Mirai relatedFlorian Roth
          • 0x15914:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
          Process Memory Space: arm6.elf PID: 5423JoeSecurity_Mirai_8Yara detected MiraiJoe Security
            Click to see the 1 entries
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: arm6.elfAvira: detected
            Source: arm6.elfReversingLabs: Detection: 68%
            Source: arm6.elfVirustotal: Detection: 59%Perma Link
            Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
            Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 37678
            Source: unknownNetwork traffic detected: HTTP traffic on port 37678 -> 443

            System Summary

            barindex
            Source: arm6.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: arm6.elf, type: SAMPLEMatched rule: Detects ELF malware Mirai related Author: Florian Roth
            Source: 5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
            Source: Process Memory Space: arm6.elf PID: 5423, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: arm6.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: arm6.elf, type: SAMPLEMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
            Source: 5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
            Source: Process Memory Space: arm6.elf PID: 5423, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: /usr/bin/dash (PID: 5492)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.4yEsI2x4W3 /tmp/tmp.wUHZUuwH7V /tmp/tmp.41tvO0c3b8Jump to behavior
            Source: /usr/bin/dash (PID: 5493)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.4yEsI2x4W3 /tmp/tmp.wUHZUuwH7V /tmp/tmp.41tvO0c3b8Jump to behavior
            Source: /tmp/arm6.elf (PID: 5423)Queries kernel information via 'uname': Jump to behavior
            Source: arm6.elf, 5423.1.000055ce38f07000.000055ce39035000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: arm6.elf, 5423.1.000055ce38f07000.000055ce39035000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: arm6.elf, 5423.1.00007fffffb12000.00007fffffb33000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: arm6.elf, 5423.1.00007fffffb12000.00007fffffb33000.rw-.sdmpBinary or memory string: fKx86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
            Source: arm6.elf, 5423.1.00007fffffb12000.00007fffffb33000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: arm6.elf PID: 5423, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5423.1.00007f9211e48000.00007f9211e60000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: arm6.elf PID: 5423, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
            File Deletion
            OS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            No configs have been found
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1622987 Sample: arm6.elf Startdate: 24/02/2025 Architecture: LINUX Score: 80 12 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->12 14 54.217.10.153, 37678, 443 AMAZON-02US United States 2->14 16 daisy.ubuntu.com 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Mirai 2->24 6 dash rm 2->6         started        8 dash rm 2->8         started        10 arm6.elf 2->10         started        signatures3 process4
            SourceDetectionScannerLabelLink
            arm6.elf68%ReversingLabsLinux.Trojan.Mirai
            arm6.elf59%VirustotalBrowse
            arm6.elf100%AviraEXP/ELF.Mirai.Z.A
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            162.213.35.24
            truefalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              54.217.10.153
              unknownUnited States
              16509AMAZON-02USfalse
              185.125.190.26
              unknownUnited Kingdom
              41231CANONICAL-ASGBfalse
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              54.217.10.153na.elfGet hashmaliciousPrometeiBrowse
                spc.elfGet hashmaliciousMirai, MoobotBrowse
                  a-r.m-6.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
                    SecuriteInfo.com.Trojan.Linux.GenericKD.24542.21937.16674.elfGet hashmaliciousUnknownBrowse
                      hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          79.124.40.46-mips-2025-01-23T06_57_06.elfGet hashmaliciousMirai, MoobotBrowse
                            file.elfGet hashmaliciousUnknownBrowse
                              Space.arm6.elfGet hashmaliciousUnknownBrowse
                                RpcSecurity.mips.elfGet hashmaliciousUnknownBrowse
                                  185.125.190.26main_arm7.elfGet hashmaliciousMiraiBrowse
                                    main_m68k.elfGet hashmaliciousMiraiBrowse
                                      main_sh4.elfGet hashmaliciousMiraiBrowse
                                        main_ppc.elfGet hashmaliciousMiraiBrowse
                                          main_mips.elfGet hashmaliciousMiraiBrowse
                                            debug.dbg.elfGet hashmaliciousMiraiBrowse
                                              mpsl.elfGet hashmaliciousMiraiBrowse
                                                strix.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  i686.elfGet hashmaliciousMiraiBrowse
                                                    nsharm.elfGet hashmaliciousUnknownBrowse
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      daisy.ubuntu.comsshd.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.25
                                                      .i.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.24
                                                      3atoNational.arm5.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.25
                                                      arm.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.25
                                                      3atoNational.arm77.elfGet hashmaliciousMiraiBrowse
                                                      • 162.213.35.24
                                                      3atoNational.m68k.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.24
                                                      3atoNational.ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.24
                                                      phantom.arm.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.25
                                                      3atoNational.mpsl7.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.25
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CANONICAL-ASGBmain_arm6.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      main_arm5.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      main_arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 185.125.190.26
                                                      main_m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 185.125.190.26
                                                      194.85.251.31-x86-2025-02-24T17_35_13.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      main_x86.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      main_sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 185.125.190.26
                                                      main_arm.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      main_ppc.elfGet hashmaliciousMiraiBrowse
                                                      • 185.125.190.26
                                                      AMAZON-02USmips.elfGet hashmaliciousMiraiBrowse
                                                      • 65.11.83.92
                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                      • 13.233.103.202
                                                      arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 99.79.220.110
                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                      • 108.149.101.140
                                                      random.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 44.231.111.180
                                                      main_arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 34.254.182.186
                                                      random.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 52.26.30.181
                                                      194.85.251.31-x86-2025-02-24T17_35_13.elfGet hashmaliciousUnknownBrowse
                                                      • 54.171.230.55
                                                      http://multitran.com/m.exeGet hashmaliciousUnknownBrowse
                                                      • 52.30.155.174
                                                      https://f.io/bUMg8j0PGet hashmaliciousHTMLPhisherBrowse
                                                      • 76.76.21.93
                                                      No context
                                                      No context
                                                      No created / dropped files found
                                                      File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                                                      Entropy (8bit):6.10124281518747
                                                      TrID:
                                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                      File name:arm6.elf
                                                      File size:99'468 bytes
                                                      MD5:ed6cc73153ecd719a1da34916f219508
                                                      SHA1:f214060a1ab0640ae4302d6ab2d23c50d3f7e39f
                                                      SHA256:70a6afc7a379a718088f1aa68dcd3eb8e0e53adfc3393dadfbb9eb484ac86a5a
                                                      SHA512:7b03c0672c0d1aba5d130aa75644f3d4b45b13694bc1b8e05a4e5f925cbb36f5728310c143fbcf565bb1052f6684c1fef9443becdbd90eaad2e0c4afa57a9432
                                                      SSDEEP:1536:uxnQ1zhJJDbhdPI3CD/u5AdGqR5zVMdOkv8a/qXbt6MAeeivUso83FK45wYi:JhzDzDW5aJhMokUa8GePUso83FK46F
                                                      TLSH:DDA32A86BC419A11C6C11677FE2F108E331257ECE2DE73139D245B607BCB91B0E6BA5A
                                                      File Content Preview:.ELF..............(.....T...4...........4. ...(.....................`w..`w..........................8...............Q.td..................................-...L..................@-.,@...0....S..... 0....S.........../..0...0...@..../.8.............-.@0....S

                                                      ELF header

                                                      Class:ELF32
                                                      Data:2's complement, little endian
                                                      Version:1 (current)
                                                      Machine:ARM
                                                      Version Number:0x1
                                                      Type:EXEC (Executable file)
                                                      OS/ABI:UNIX - System V
                                                      ABI Version:0
                                                      Entry Point Address:0x8154
                                                      Flags:0x4000002
                                                      ELF Header Size:52
                                                      Program Header Offset:52
                                                      Program Header Size:32
                                                      Number of Program Headers:3
                                                      Section Header Offset:98988
                                                      Section Header Size:40
                                                      Number of Section Headers:12
                                                      Header String Table Index:11
                                                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                      NULL0x00x00x00x00x0000
                                                      .initPROGBITS0x80940x940x100x00x6AX004
                                                      .textPROGBITS0x80b00xb00x1584c0x00x6AX0016
                                                      .finiPROGBITS0x1d8fc0x158fc0x100x00x6AX004
                                                      .rodataPROGBITS0x1d9100x159100x1e500x00x2A008
                                                      .init_arrayINIT_ARRAY0x200040x180080x40x00x3WA004
                                                      .fini_arrayFINI_ARRAY0x200080x1800c0x40x00x3WA004
                                                      .gotPROGBITS0x200100x180140x780x40x3WA004
                                                      .dataPROGBITS0x200880x1808c0x1b00x00x3WA004
                                                      .bssNOBITS0x202380x1823c0x27580x00x3WA004
                                                      .ARM.attributesARM_ATTRIBUTES0x00x1823c0x100x00x0001
                                                      .shstrtabSTRTAB0x00x1824c0x5d0x00x0001
                                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                      LOAD0x00x80000x80000x177600x177606.20280x5R E0x8000.init .text .fini .rodata
                                                      LOAD0x180040x200040x200000x2380xa98c2.22460x6RW 0x8000.init_array .fini_array .got .data .bss
                                                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                      Download Network PCAP: filteredfull

                                                      • Total Packets: 6
                                                      • 443 (HTTPS)
                                                      • 53 (DNS)
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 24, 2025 19:07:15.647150993 CET48202443192.168.2.13185.125.190.26
                                                      Feb 24, 2025 19:07:37.473978043 CET37678443192.168.2.1354.217.10.153
                                                      Feb 24, 2025 19:07:37.479248047 CET4433767854.217.10.153192.168.2.13
                                                      Feb 24, 2025 19:07:37.479301929 CET37678443192.168.2.1354.217.10.153
                                                      Feb 24, 2025 19:07:47.135272026 CET48202443192.168.2.13185.125.190.26
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 24, 2025 19:07:06.799169064 CET4773953192.168.2.138.8.8.8
                                                      Feb 24, 2025 19:07:06.799273968 CET5989853192.168.2.138.8.8.8
                                                      Feb 24, 2025 19:07:06.806072950 CET53477398.8.8.8192.168.2.13
                                                      Feb 24, 2025 19:07:06.806291103 CET53598988.8.8.8192.168.2.13
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Feb 24, 2025 19:07:06.799169064 CET192.168.2.138.8.8.80x6bd0Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                                      Feb 24, 2025 19:07:06.799273968 CET192.168.2.138.8.8.80x46a1Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Feb 24, 2025 19:07:06.806072950 CET8.8.8.8192.168.2.130x6bd0No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                                      Feb 24, 2025 19:07:06.806072950 CET8.8.8.8192.168.2.130x6bd0No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                                      System Behavior

                                                      Start time (UTC):18:07:04
                                                      Start date (UTC):24/02/2025
                                                      Path:/tmp/arm6.elf
                                                      Arguments:/tmp/arm6.elf
                                                      File size:4956856 bytes
                                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                      Start time (UTC):18:07:36
                                                      Start date (UTC):24/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:07:36
                                                      Start date (UTC):24/02/2025
                                                      Path:/usr/bin/rm
                                                      Arguments:rm -f /tmp/tmp.4yEsI2x4W3 /tmp/tmp.wUHZUuwH7V /tmp/tmp.41tvO0c3b8
                                                      File size:72056 bytes
                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                      Start time (UTC):18:07:36
                                                      Start date (UTC):24/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:07:36
                                                      Start date (UTC):24/02/2025
                                                      Path:/usr/bin/rm
                                                      Arguments:rm -f /tmp/tmp.4yEsI2x4W3 /tmp/tmp.wUHZUuwH7V /tmp/tmp.41tvO0c3b8
                                                      File size:72056 bytes
                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b