Edit tour

Linux Analysis Report
i686.elf

Overview

General Information

Sample name:i686.elf
Analysis ID:1623228
MD5:3061ee47035f45105daea30774fc8e83
SHA1:ff53726727e12f1918456e24bb4c80735fc043fd
SHA256:3be727f3450c70c22b0da77830d82a1fd08c8cf88b887c707b6f318031284a4e
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:76
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Performs DNS TXT record lookups
Sample reads /proc/mounts (often used for finding a writable filesystem)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1623228
Start date and time:2025-02-25 02:52:20 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 56s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:i686.elf
Detection:MAL
Classification:mal76.troj.evad.linELF@0/0@4/0
Command:/tmp/i686.elf
PID:5489
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life
Standard Error:
  • system is lnxubuntu20
  • i686.elf (PID: 5489, Parent: 5414, MD5: 3061ee47035f45105daea30774fc8e83) Arguments: /tmp/i686.elf
    • i686.elf New Fork (PID: 5491, Parent: 5489)
    • i686.elf New Fork (PID: 5492, Parent: 5489)
    • i686.elf New Fork (PID: 5508, Parent: 5489)
    • i686.elf New Fork (PID: 5555, Parent: 5489)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
i686.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    i686.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
    • 0xd944:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
    i686.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
    • 0xe133:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
    i686.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
    • 0xa272:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    • 0xa3d4:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
    i686.elfLinux_Trojan_Gafgyt_d996d335unknownunknown
    • 0x10b4a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
    Click to see the 3 entries
    SourceRuleDescriptionAuthorStrings
    5489.1.0000000000400000.0000000000414000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5489.1.0000000000400000.0000000000414000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
      • 0xd944:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
      5489.1.0000000000400000.0000000000414000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
      • 0xe133:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
      5489.1.0000000000400000.0000000000414000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
      • 0xa272:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      • 0xa3d4:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      5489.1.0000000000400000.0000000000414000.r-x.sdmpLinux_Trojan_Gafgyt_d996d335unknownunknown
      • 0x10b4a:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
      Click to see the 11 entries
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: i686.elfVirustotal: Detection: 28%Perma Link
      Source: i686.elfReversingLabs: Detection: 28%

      Networking

      barindex
      Source: unknownDNS query: name: stun.l.google.com
      Source: global trafficTCP traffic: 192.168.2.14:52696 -> 154.205.155.219:8080
      Source: global trafficUDP traffic: 192.168.2.14:47585 -> 74.125.250.129:19302
      Source: /tmp/i686.elf (PID: 5489)Socket: 127.0.0.1:43478Jump to behavior
      Source: unknownTCP traffic detected without corresponding DNS query: 136.228.15.199
      Source: unknownTCP traffic detected without corresponding DNS query: 136.228.15.199
      Source: unknownTCP traffic detected without corresponding DNS query: 142.182.33.45
      Source: unknownTCP traffic detected without corresponding DNS query: 142.182.33.45
      Source: unknownTCP traffic detected without corresponding DNS query: 3.169.64.103
      Source: unknownTCP traffic detected without corresponding DNS query: 3.169.64.103
      Source: unknownTCP traffic detected without corresponding DNS query: 191.53.238.183
      Source: unknownTCP traffic detected without corresponding DNS query: 191.53.238.183
      Source: unknownTCP traffic detected without corresponding DNS query: 191.53.238.183
      Source: unknownTCP traffic detected without corresponding DNS query: 3.169.64.103
      Source: unknownTCP traffic detected without corresponding DNS query: 142.182.33.45
      Source: unknownTCP traffic detected without corresponding DNS query: 136.228.15.199
      Source: unknownTCP traffic detected without corresponding DNS query: 191.53.238.183
      Source: unknownTCP traffic detected without corresponding DNS query: 142.182.33.45
      Source: unknownTCP traffic detected without corresponding DNS query: 3.169.64.103
      Source: unknownTCP traffic detected without corresponding DNS query: 136.228.15.199
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.219
      Source: global trafficDNS traffic detected: DNS query: lib.libre
      Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
      Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

      System Summary

      barindex
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 Author: unknown
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: /tmp/i686.elf (PID: 5489)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
      Source: /tmp/i686.elf (PID: 5489)SIGKILL sent: pid: 1300, result: successfulJump to behavior
      Source: /tmp/i686.elf (PID: 5489)SIGKILL sent: pid: 2956, result: successfulJump to behavior
      Source: /tmp/i686.elf (PID: 5491)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
      Source: /tmp/i686.elf (PID: 5491)SIGKILL sent: pid: 1300, result: successfulJump to behavior
      Source: /tmp/i686.elf (PID: 5491)SIGKILL sent: pid: 2956, result: successfulJump to behavior
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
      Source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_1cb033f3 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 49201ab37ff0b5cdfa9b0b34b6faa170bd25f04df51c24b0b558b7534fecc358, id = 1cb033f3-68c1-4fe5-9cd1-b5d066c1d86e, last_modified = 2021-09-16
      Source: classification engineClassification label: mal76.troj.evad.linELF@0/0@4/0

      Persistence and Installation Behavior

      barindex
      Source: /tmp/i686.elf (PID: 5489)File: /proc/5489/mountsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File: /proc/5491/mountsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5782/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5782/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5706/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5706/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5707/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5707/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5708/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5708/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5709/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5709/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5709/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5709/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5874/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5874/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5699/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5699/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5710/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5710/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5710/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5710/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5700/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5700/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5711/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5711/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5711/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5711/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5931/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5931/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5701/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5701/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5712/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5712/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5712/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5712/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5734/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5734/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5844/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5844/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5888/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5888/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5702/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5702/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5713/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5713/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5713/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5713/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5703/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5703/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5714/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5714/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5714/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5714/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5879/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5879/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5704/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5704/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5705/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5492)File opened: /proc/5705/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3244/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3120/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3120/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3361/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3361/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3239/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1577/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1577/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1610/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1610/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1299/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1299/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3235/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3235/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/2946/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/2946/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/917/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3134/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3134/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1593/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1593/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3011/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3094/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/2955/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/2955/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3406/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3406/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1589/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3129/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3129/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1588/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/1588/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3402/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3402/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3125/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3246/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3246/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3245/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/3245/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/767/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/767/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/800/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/800/cmdlineJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/888/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/801/mapsJump to behavior
      Source: /tmp/i686.elf (PID: 5491)File opened: /proc/801/cmdlineJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: TrafficDNS traffic detected: queries for: lib.libre

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: i686.elf, type: SAMPLE
      Source: Yara matchFile source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: i686.elf, type: SAMPLE
      Source: Yara matchFile source: 5489.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: 5508.1.0000000000400000.0000000000414000.r-x.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
      OS Credential Dumping
      1
      File and Directory Discovery
      Remote ServicesData from Local System1
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623228 Sample: i686.elf Startdate: 25/02/2025 Architecture: LINUX Score: 76 19 stun.l.google.com 2->19 21 lib.libre 2->21 23 8 other IPs or domains 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Mirai 2->29 7 i686.elf 2->7         started        signatures3 31 Uses STUN server to do NAT traversial 19->31 33 Performs DNS TXT record lookups 21->33 process4 signatures5 35 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->35 10 i686.elf 7->10         started        13 i686.elf 7->13         started        15 i686.elf 7->15         started        17 i686.elf 7->17         started        process6 signatures7 37 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->37

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      i686.elf29%VirustotalBrowse
      i686.elf29%ReversingLabsLinux.Backdoor.Gafgyt
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches

      Download Network PCAP: filteredfull

      NameIPActiveMaliciousAntivirus DetectionReputation
      daisy.ubuntu.com
      162.213.35.24
      truefalse
        high
        stun.l.google.com
        74.125.250.129
        truefalse
          high
          lib.libre
          unknown
          unknownfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            142.182.33.45
            unknownCanada
            577BACOMCAfalse
            136.228.15.199
            unknownUnited States
            36351SOFTLAYERUSfalse
            191.53.238.183
            unknownBrazil
            28202RedeBrasileiradeComunicacaoLtdaBRfalse
            3.169.64.103
            unknownUnited States
            16509AMAZON-02USfalse
            74.125.250.129
            stun.l.google.comUnited States
            15169GOOGLEUSfalse
            141.10.252.172
            unknownGermany
            553BELWUEBelWue-KoordinationEUfalse
            154.205.155.219
            unknownSeychelles
            26484IKGUL-26484USfalse
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            daisy.ubuntu.com.i.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.24
            sora.x86.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.24
            sora.x86.elfGet hashmaliciousMiraiBrowse
            • 162.213.35.25
            ppc.elfGet hashmaliciousMirai, MoobotBrowse
            • 162.213.35.24
            spc.elfGet hashmaliciousMirai, MoobotBrowse
            • 162.213.35.24
            156.244.15.24-mips-2025-02-24T11_49_27.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.24
            res.arc.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.25
            res.arm6.elfGet hashmaliciousUnknownBrowse
            • 162.213.35.24
            bot.arm6.elfGet hashmaliciousMirai, OkiruBrowse
            • 162.213.35.25
            arm6.elfGet hashmaliciousMirai, MoobotBrowse
            • 162.213.35.24
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            AMAZON-02USNew Sharefile - peRd9Y.svgGet hashmaliciousPhisherBrowse
            • 108.141.37.120
            https://1drv.ms/f/s!AjoVkDIsGnpOd7LuARNPe9SBPXk?e=Pdaap6Get hashmaliciousUnknownBrowse
            • 3.161.82.112
            http://www.windfieldalloy.com/Get hashmaliciousUnknownBrowse
            • 3.160.150.115
            m68k.elfGet hashmaliciousMirai, MoobotBrowse
            • 52.52.139.192
            res.ppc.elfGet hashmaliciousUnknownBrowse
            • 65.3.44.73
            res.m68k.elfGet hashmaliciousUnknownBrowse
            • 34.211.38.75
            res.sh4.elfGet hashmaliciousUnknownBrowse
            • 18.183.83.91
            res.spc.elfGet hashmaliciousUnknownBrowse
            • 3.190.79.118
            res.mips.elfGet hashmaliciousUnknownBrowse
            • 13.236.43.138
            res.arm.elfGet hashmaliciousUnknownBrowse
            • 13.112.250.218
            BACOMCAx86_64.elfGet hashmaliciousMirai, MoobotBrowse
            • 142.189.56.2
            m68k.elfGet hashmaliciousMirai, MoobotBrowse
            • 142.186.242.82
            res.ppc.elfGet hashmaliciousUnknownBrowse
            • 142.116.195.32
            res.m68k.elfGet hashmaliciousUnknownBrowse
            • 142.180.76.226
            http://gthlcanada.comGet hashmaliciousUnknownBrowse
            • 23.34.207.42
            m68k.elfGet hashmaliciousMiraiBrowse
            • 142.115.18.120
            sh4.elfGet hashmaliciousMiraiBrowse
            • 142.126.118.133
            arm7.elfGet hashmaliciousMirai, MoobotBrowse
            • 67.69.64.143
            mpsl.elfGet hashmaliciousMirai, MoobotBrowse
            • 184.150.128.219
            x86.elfGet hashmaliciousMirai, MoobotBrowse
            • 174.91.247.5
            RedeBrasileiradeComunicacaoLtdaBRres.sh4.elfGet hashmaliciousUnknownBrowse
            • 191.53.140.249
            wanna.arm.elfGet hashmaliciousMiraiBrowse
            • 186.216.111.241
            bot.sh4.elfGet hashmaliciousUnknownBrowse
            • 186.216.111.238
            xd.x86.elfGet hashmaliciousMiraiBrowse
            • 191.53.140.232
            armv6l.elfGet hashmaliciousUnknownBrowse
            • 191.53.69.38
            hmips.elfGet hashmaliciousMiraiBrowse
            • 187.44.2.10
            elitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
            • 191.53.43.182
            la.bot.sh4.elfGet hashmaliciousMiraiBrowse
            • 177.130.169.93
            Fantazy.spc.elfGet hashmaliciousUnknownBrowse
            • 187.44.30.154
            Owari.x86.elfGet hashmaliciousUnknownBrowse
            • 187.44.25.140
            SOFTLAYERUSarm7.elfGet hashmaliciousMirai, MoobotBrowse
            • 150.239.28.48
            1740393065272a354b6b0cff0f20d17a203585ecc4a164a17ea65914359d5d851a2ed8cd73342.dat-decoded.exeGet hashmaliciousRemcosBrowse
            • 172.111.137.130
            burnova-x64.exeGet hashmaliciousAsyncRATBrowse
            • 52.116.17.58
            fonelab-for-android-x86.exeGet hashmaliciousUnknownBrowse
            • 52.116.9.69
            fonelab-for-android-x86.exeGet hashmaliciousAsyncRATBrowse
            • 52.116.9.69
            burnova-x64.exeGet hashmaliciousAsyncRATBrowse
            • 52.116.9.69
            star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
            • 169.38.252.24
            Yboats.x86.elfGet hashmaliciousOkiruBrowse
            • 74.52.52.50
            na.elfGet hashmaliciousUnknownBrowse
            • 161.159.109.169
            sora.x86.elfGet hashmaliciousMiraiBrowse
            • 108.229.79.97
            No context
            No context
            No created / dropped files found
            File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
            Entropy (8bit):6.116103794367015
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:i686.elf
            File size:87'904 bytes
            MD5:3061ee47035f45105daea30774fc8e83
            SHA1:ff53726727e12f1918456e24bb4c80735fc043fd
            SHA256:3be727f3450c70c22b0da77830d82a1fd08c8cf88b887c707b6f318031284a4e
            SHA512:78f4de7c304715fcc4ba46b0e8314c60d1426887cbd0ca43f36b7b49ace8c48d2161adf4d66441f3671d7ba60c242037c785140859927f77d9f26345bc2c71fe
            SSDEEP:1536:uXzAZioFYmfwJX+TupQyiha2dyxPFQyBami1t7nVwCX+h0Z0t1:KcFFYmoJX+TRyiJdmWyB01t7nVf+ho0T
            TLSH:5E834A03B5C088FDC499D6348B6FA536D973F06E2235B16B27D0BF226E5EE101F6A119
            File Content Preview:.ELF..............>.......@.....@........D..........@.8...@.......................@.......@.....P?......P?......................X?......X?Q.....X?Q.....H.......0p..............Q.td....................................................H...._........H........

            ELF header

            Class:ELF64
            Data:2's complement, little endian
            Version:1 (current)
            Machine:Advanced Micro Devices X86-64
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - System V
            ABI Version:0
            Entry Point Address:0x400194
            Flags:0x0
            ELF Header Size:64
            Program Header Offset:64
            Program Header Size:56
            Number of Program Headers:3
            Section Header Offset:83168
            Section Header Size:64
            Number of Section Headers:10
            Header String Table Index:9
            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
            NULL0x00x00x00x00x0000
            .initPROGBITS0x4000e80xe80x130x00x6AX001
            .textPROGBITS0x4001000x1000x10e360x00x6AX0016
            .finiPROGBITS0x410f360x10f360xe0x00x6AX001
            .rodataPROGBITS0x410f600x10f600x2ff00x00x2A0032
            .ctorsPROGBITS0x513f580x13f580x100x00x3WA008
            .dtorsPROGBITS0x513f680x13f680x100x00x3WA008
            .dataPROGBITS0x513f800x13f800x5200x00x3WA0032
            .bssNOBITS0x5144a00x144a00x6ae80x00x3WA0032
            .shstrtabSTRTAB0x00x144a00x3e0x00x0001
            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x4000000x4000000x13f500x13f506.37430x5R E0x100000.init .text .fini .rodata
            LOAD0x13f580x513f580x513f580x5480x70302.37410x6RW 0x100000.ctors .dtors .data .bss
            GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

            Download Network PCAP: filteredfull

            • Total Packets: 61
            • 19302 undefined
            • 8080 undefined
            • 53 (DNS)
            • 23 (Telnet)
            TimestampSource PortDest PortSource IPDest IP
            Feb 25, 2025 02:53:04.707253933 CET5171423192.168.2.14136.228.15.199
            Feb 25, 2025 02:53:04.713705063 CET2351714136.228.15.199192.168.2.14
            Feb 25, 2025 02:53:04.714277029 CET5171423192.168.2.14136.228.15.199
            Feb 25, 2025 02:53:04.731642008 CET6053823192.168.2.14142.182.33.45
            Feb 25, 2025 02:53:04.734626055 CET5129823192.168.2.14141.10.252.172
            Feb 25, 2025 02:53:04.738105059 CET2360538142.182.33.45192.168.2.14
            Feb 25, 2025 02:53:04.738181114 CET6053823192.168.2.14142.182.33.45
            Feb 25, 2025 02:53:04.739078999 CET3288023192.168.2.143.169.64.103
            Feb 25, 2025 02:53:04.741070032 CET2351298141.10.252.172192.168.2.14
            Feb 25, 2025 02:53:04.741117954 CET5129823192.168.2.14141.10.252.172
            Feb 25, 2025 02:53:04.745552063 CET23328803.169.64.103192.168.2.14
            Feb 25, 2025 02:53:04.745606899 CET3288023192.168.2.143.169.64.103
            Feb 25, 2025 02:53:04.750258923 CET3595023192.168.2.14191.53.238.183
            Feb 25, 2025 02:53:04.756726027 CET2335950191.53.238.183192.168.2.14
            Feb 25, 2025 02:53:04.756839991 CET3595023192.168.2.14191.53.238.183
            Feb 25, 2025 02:53:04.787899017 CET3595023192.168.2.14191.53.238.183
            Feb 25, 2025 02:53:04.787908077 CET3288023192.168.2.143.169.64.103
            Feb 25, 2025 02:53:04.787911892 CET5129823192.168.2.14141.10.252.172
            Feb 25, 2025 02:53:04.787926912 CET6053823192.168.2.14142.182.33.45
            Feb 25, 2025 02:53:04.787950039 CET5171423192.168.2.14136.228.15.199
            Feb 25, 2025 02:53:04.794168949 CET2335950191.53.238.183192.168.2.14
            Feb 25, 2025 02:53:04.794202089 CET2351714136.228.15.199192.168.2.14
            Feb 25, 2025 02:53:04.794231892 CET2360538142.182.33.45192.168.2.14
            Feb 25, 2025 02:53:04.794234037 CET3595023192.168.2.14191.53.238.183
            Feb 25, 2025 02:53:04.794260979 CET2351298141.10.252.172192.168.2.14
            Feb 25, 2025 02:53:04.794303894 CET23328803.169.64.103192.168.2.14
            Feb 25, 2025 02:53:04.794356108 CET23328803.169.64.103192.168.2.14
            Feb 25, 2025 02:53:04.794384956 CET2351298141.10.252.172192.168.2.14
            Feb 25, 2025 02:53:04.794414043 CET2360538142.182.33.45192.168.2.14
            Feb 25, 2025 02:53:04.794441938 CET2351714136.228.15.199192.168.2.14
            Feb 25, 2025 02:53:04.794447899 CET5129823192.168.2.14141.10.252.172
            Feb 25, 2025 02:53:04.794467926 CET6053823192.168.2.14142.182.33.45
            Feb 25, 2025 02:53:04.794485092 CET3288023192.168.2.143.169.64.103
            Feb 25, 2025 02:53:04.796233892 CET5171423192.168.2.14136.228.15.199
            Feb 25, 2025 02:53:04.844635963 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:04.851016998 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:04.851073980 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:05.509418011 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:05.509589911 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:05.602169037 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:05.602293968 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:10.393179893 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:10.398521900 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:20.402750969 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:20.407977104 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:20.408055067 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:20.413072109 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:34.601835012 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:34.606952906 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:34.607004881 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:34.612452030 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:49.609195948 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:49.614451885 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:49.614525080 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:53:49.619677067 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:50.904762030 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:53:50.904825926 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:04.160581112 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:04.165843010 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:04.165908098 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:04.170975924 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:17.498886108 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:17.551927090 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:17.552040100 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:17.557136059 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:32.507412910 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:32.512671947 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:32.512753010 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:32.517889023 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:44.805844069 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:44.812163115 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:44.812237978 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:44.818326950 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:58.962349892 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:58.967843056 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:54:58.967916965 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:54:58.973165989 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:01.011576891 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:01.011672020 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:13.973763943 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:13.979022026 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:13.979099035 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:13.984214067 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:27.941164017 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:27.946435928 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:27.946511030 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:27.951598883 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:42.448544025 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:42.453960896 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:42.454049110 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:42.459358931 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:56.516041040 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:56.521317005 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:55:56.521384954 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:55:56.527472019 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:56:11.159359932 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:56:11.165988922 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:56:11.166064978 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:56:11.172483921 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:56:26.168615103 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:56:26.173824072 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:56:26.173911095 CET526968080192.168.2.14154.205.155.219
            Feb 25, 2025 02:56:26.179013968 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:56:30.343086004 CET808052696154.205.155.219192.168.2.14
            Feb 25, 2025 02:56:30.343144894 CET526968080192.168.2.14154.205.155.219
            TimestampSource PortDest PortSource IPDest IP
            Feb 25, 2025 02:53:04.750370979 CET3361453192.168.2.14162.243.19.47
            Feb 25, 2025 02:53:04.844141006 CET5333614162.243.19.47192.168.2.14
            Feb 25, 2025 02:53:05.846426010 CET4504153192.168.2.148.8.8.8
            Feb 25, 2025 02:53:05.855745077 CET53450418.8.8.8192.168.2.14
            Feb 25, 2025 02:53:05.855829000 CET4758519302192.168.2.1474.125.250.129
            Feb 25, 2025 02:53:06.335038900 CET193024758574.125.250.129192.168.2.14
            Feb 25, 2025 02:55:48.767369032 CET5705653192.168.2.148.8.8.8
            Feb 25, 2025 02:55:48.767469883 CET5166553192.168.2.148.8.8.8
            Feb 25, 2025 02:55:48.774602890 CET53516658.8.8.8192.168.2.14
            Feb 25, 2025 02:55:48.774646997 CET53570568.8.8.8192.168.2.14
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Feb 25, 2025 02:53:04.750370979 CET192.168.2.14162.243.19.470x880bStandard query (0)lib.libre16IN (0x0001)false
            Feb 25, 2025 02:53:05.846426010 CET192.168.2.148.8.8.80x82dStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
            Feb 25, 2025 02:55:48.767369032 CET192.168.2.148.8.8.80x1d9fStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
            Feb 25, 2025 02:55:48.767469883 CET192.168.2.148.8.8.80x36f5Standard query (0)daisy.ubuntu.com28IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Feb 25, 2025 02:53:04.844141006 CET162.243.19.47192.168.2.140x880bNo error (0)lib.libreTXT (Text strings)IN (0x0001)false
            Feb 25, 2025 02:53:05.855745077 CET8.8.8.8192.168.2.140x82dNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false
            Feb 25, 2025 02:55:48.774646997 CET8.8.8.8192.168.2.140x1d9fNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
            Feb 25, 2025 02:55:48.774646997 CET8.8.8.8192.168.2.140x1d9fNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

            System Behavior

            Start time (UTC):01:53:03
            Start date (UTC):25/02/2025
            Path:/tmp/i686.elf
            Arguments:/tmp/i686.elf
            File size:87904 bytes
            MD5 hash:3061ee47035f45105daea30774fc8e83

            Start time (UTC):01:53:03
            Start date (UTC):25/02/2025
            Path:/tmp/i686.elf
            Arguments:-
            File size:87904 bytes
            MD5 hash:3061ee47035f45105daea30774fc8e83

            Start time (UTC):01:53:03
            Start date (UTC):25/02/2025
            Path:/tmp/i686.elf
            Arguments:-
            File size:87904 bytes
            MD5 hash:3061ee47035f45105daea30774fc8e83

            Start time (UTC):01:53:03
            Start date (UTC):25/02/2025
            Path:/tmp/i686.elf
            Arguments:-
            File size:87904 bytes
            MD5 hash:3061ee47035f45105daea30774fc8e83

            Start time (UTC):01:53:03
            Start date (UTC):25/02/2025
            Path:/tmp/i686.elf
            Arguments:-
            File size:87904 bytes
            MD5 hash:3061ee47035f45105daea30774fc8e83