Edit tour

Linux Analysis Report
m68k.nn.elf

Overview

General Information

Sample name:m68k.nn.elf
Analysis ID:1625081
MD5:cc65c4901bad08321dae9a12315b6093
SHA1:0e521686aa6f7ced3612531c959929f696f6984c
SHA256:9809efe76a27f9e1ae19d235f8ff88d6e4be3355e2adb1cbfcca9f9db57b2dcd
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru
Score:64
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1625081
Start date and time:2025-02-26 19:32:16 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:m68k.nn.elf
Detection:MAL
Classification:mal64.troj.linELF@0/2@2/0
Command:/tmp/m68k.nn.elf
PID:5423
Exit Code:139
Exit Code Info:SIGSEGV (11) Segmentation fault invalid memory reference
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • m68k.nn.elf (PID: 5423, Parent: 5347, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/m68k.nn.elf
  • udisksd New Fork (PID: 5433, Parent: 802)
  • dumpe2fs (PID: 5433, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • udisksd New Fork (PID: 5491, Parent: 802)
  • dumpe2fs (PID: 5491, Parent: 802, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0
  • dash New Fork (PID: 5548, Parent: 3578)
  • rm (PID: 5548, Parent: 3578, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Mkro99Z9Sh /tmp/tmp.Zu0pFWIQU3 /tmp/tmp.LX4Xwwup40
  • dash New Fork (PID: 5549, Parent: 3578)
  • cat (PID: 5549, Parent: 3578, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.Mkro99Z9Sh
  • dash New Fork (PID: 5550, Parent: 3578)
  • head (PID: 5550, Parent: 3578, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5551, Parent: 3578)
  • tr (PID: 5551, Parent: 3578, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5552, Parent: 3578)
  • cut (PID: 5552, Parent: 3578, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5553, Parent: 3578)
  • cat (PID: 5553, Parent: 3578, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.Mkro99Z9Sh
  • dash New Fork (PID: 5554, Parent: 3578)
  • head (PID: 5554, Parent: 3578, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5555, Parent: 3578)
  • tr (PID: 5555, Parent: 3578, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5556, Parent: 3578)
  • cut (PID: 5556, Parent: 3578, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5557, Parent: 3578)
  • rm (PID: 5557, Parent: 3578, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Mkro99Z9Sh /tmp/tmp.Zu0pFWIQU3 /tmp/tmp.LX4Xwwup40
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
m68k.nn.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    m68k.nn.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      SourceRuleDescriptionAuthorStrings
      5423.1.00007f6620001000.00007f6620018000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
        5423.1.00007f6620001000.00007f6620018000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
          Process Memory Space: m68k.nn.elf PID: 5423JoeSecurity_OkiruYara detected OkiruJoe Security
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: m68k.nn.elfReversingLabs: Detection: 23%
            Source: unknownHTTPS traffic detected: 34.243.160.129:443 -> 192.168.2.13:50528 version: TLS 1.2
            Source: m68k.nn.elfString: getinfo xxx(deleted)/proc/self/exe/proc/%s/exe/proc/opendirsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146</proc/%d/exe/./proc/%s/fd/%s%ssocket/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/login176.65.134.15/proc/self/statusTracerPid/proc/1/cgroupkubepods/proc filesystem not found. Exiting. gorilla botnet didnt like this honeypot....w/etc/motd/proc/self/cmdline/proc/self/maps/etc/systemd/system/custom.service[Unit]
            Source: /tmp/m68k.nn.elf (PID: 5423)Socket: 127.0.0.1:38242Jump to behavior
            Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
            Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50528
            Source: unknownNetwork traffic detected: HTTP traffic on port 50528 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443
            Source: unknownHTTPS traffic detected: 34.243.160.129:443 -> 192.168.2.13:50528 version: TLS 1.2
            Source: Initial sampleString containing 'busybox' found: /bin/busybox
            Source: Initial sampleString containing 'busybox' found: getinfo xxx(deleted)/proc/self/exe/proc/%s/exe/proc/opendirsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146</proc/%d/exe/./proc/%s/fd/%s%ssocket/tmp/usr/lib/systemd/*/usr/sbin/*/usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd**deamon*/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/mnt/sys/boot/media/srv/sbin/etc/dev/telnethttpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdshellvar/run/home/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/psw
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: classification engineClassification label: mal64.troj.linELF@0/2@2/0
            Source: /usr/bin/dash (PID: 5548)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Mkro99Z9Sh /tmp/tmp.Zu0pFWIQU3 /tmp/tmp.LX4Xwwup40Jump to behavior
            Source: /usr/bin/dash (PID: 5557)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Mkro99Z9Sh /tmp/tmp.Zu0pFWIQU3 /tmp/tmp.LX4Xwwup40Jump to behavior
            Source: /tmp/m68k.nn.elf (PID: 5423)Queries kernel information via 'uname': Jump to behavior
            Source: m68k.nn.elf, 5423.1.00007fff54860000.00007fff54881000.rw-.sdmpBinary or memory string: hx86_64/usr/bin/qemu-m68k/tmp/m68k.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.nn.elf
            Source: m68k.nn.elf, 5423.1.00005654ba7e8000.00005654ba86d000.rw-.sdmpBinary or memory string: TV5!/usr/bin/vmtoolsd
            Source: m68k.nn.elf, 5423.1.00007fff54860000.00007fff54881000.rw-.sdmpBinary or memory string: /qemu-open.XXXXX
            Source: m68k.nn.elf, 5423.1.00005654ba7e8000.00005654ba86d000.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
            Source: m68k.nn.elf, 5423.1.00005654ba7e8000.00005654ba86d000.rw-.sdmpBinary or memory string: TV!/etc/qemu-binfmt/m68k
            Source: m68k.nn.elf, 5423.1.00007fff54860000.00007fff54881000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
            Source: m68k.nn.elf, 5423.1.00007fff54860000.00007fff54881000.rw-.sdmpBinary or memory string: TV/tmp/qemu-open.o7py4h-m
            Source: m68k.nn.elf, 5423.1.00005654ba7e8000.00005654ba86d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
            Source: m68k.nn.elf, 5423.1.00007fff54860000.00007fff54881000.rw-.sdmpBinary or memory string: /tmp/qemu-open.o7py4h
            Source: m68k.nn.elf, 5423.1.00007fff54860000.00007fff54881000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: m68k.nn.elf, type: SAMPLE
            Source: Yara matchFile source: 5423.1.00007f6620001000.00007f6620018000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: m68k.nn.elf, type: SAMPLE
            Source: Yara matchFile source: 5423.1.00007f6620001000.00007f6620018000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: m68k.nn.elf PID: 5423, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: m68k.nn.elf, type: SAMPLE
            Source: Yara matchFile source: 5423.1.00007f6620001000.00007f6620018000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: m68k.nn.elf, type: SAMPLE
            Source: Yara matchFile source: 5423.1.00007f6620001000.00007f6620018000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: m68k.nn.elf PID: 5423, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting
            Valid AccountsWindows Management Instrumentation1
            Scripting
            Path Interception1
            File Deletion
            OS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            No configs have been found
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1625081 Sample: m68k.nn.elf Startdate: 26/02/2025 Architecture: LINUX Score: 64 14 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->14 16 34.243.160.129, 443, 50528 AMAZON-02US United States 2->16 18 daisy.ubuntu.com 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected Okiru 2->22 24 Yara detected Mirai 2->24 6 udisksd dumpe2fs 2->6         started        8 udisksd dumpe2fs 2->8         started        10 dash rm 2->10         started        12 10 other processes 2->12 signatures3 process4
            SourceDetectionScannerLabelLink
            m68k.nn.elf24%ReversingLabsLinux.Backdoor.Mirai
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            162.213.35.25
            truefalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              185.125.190.26
              unknownUnited Kingdom
              41231CANONICAL-ASGBfalse
              34.243.160.129
              unknownUnited States
              16509AMAZON-02USfalse
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              185.125.190.26.i.elfGet hashmaliciousUnknownBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                      debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                        boatnet.arm6.elfGet hashmaliciousMiraiBrowse
                          boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                na.elfGet hashmaliciousPrometeiBrowse
                                  34.243.160.129zbotx86.elfGet hashmaliciousTsunamiBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      Space.i686.elfGet hashmaliciousUnknownBrowse
                                        armv4l.elfGet hashmaliciousUnknownBrowse
                                          main_arm7.elfGet hashmaliciousMiraiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              Ayedz.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                                ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    ssd.elfGet hashmaliciousGafgytBrowse
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      daisy.ubuntu.comarm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 162.213.35.24
                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 162.213.35.25
                                                      .i.elfGet hashmaliciousUnknownBrowse
                                                      • 162.213.35.25
                                                      x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 162.213.35.25
                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 162.213.35.24
                                                      debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 162.213.35.25
                                                      zbotmips.elfGet hashmaliciousTsunamiBrowse
                                                      • 162.213.35.24
                                                      zboti686.elfGet hashmaliciousTsunamiBrowse
                                                      • 162.213.35.25
                                                      zbotmipsel.elfGet hashmaliciousTsunamiBrowse
                                                      • 162.213.35.24
                                                      zbotx86.elfGet hashmaliciousTsunamiBrowse
                                                      • 162.213.35.25
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                      • 54.171.230.55
                                                      zbotx86.elfGet hashmaliciousTsunamiBrowse
                                                      • 34.243.160.129
                                                      https://form.questionscout.com/67b5bc1a1a5964e3bafd5939Get hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                      • 18.245.33.6
                                                      REMITTANCE DETAILS....xlsxGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                      • 18.245.33.131
                                                      REMITTANCE DETAILS....xlsxGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                      • 18.245.33.131
                                                      https://cexpr.es/c?n=9333330072979347Get hashmaliciousPhisherBrowse
                                                      • 99.86.4.119
                                                      https://www.dropbox.com/scl/fi/cya4f8tuy3xt9nqu1lgkc/You-have-received-a-new-document.paper?rlkey=hhkjelxu8vk69ysraacvkprk5&st=p3fqq8q7&dl=0Get hashmaliciousUnknownBrowse
                                                      • 143.204.215.83
                                                      https://s3.us-east-2.amazonaws.com/pdf.invoices/02-25.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 52.219.229.217
                                                      TestReach-6.2.0 (1).msiGet hashmaliciousUnknownBrowse
                                                      • 65.9.7.42
                                                      http://kytelink.comGet hashmaliciousUnknownBrowse
                                                      • 76.76.21.21
                                                      CANONICAL-ASGB.i.elfGet hashmaliciousUnknownBrowse
                                                      • 185.125.190.26
                                                      x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      arm6.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 185.125.190.26
                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 185.125.190.26
                                                      No context
                                                      No context
                                                      Process:/tmp/m68k.nn.elf
                                                      File Type:ASCII text
                                                      Category:dropped
                                                      Size (bytes):53
                                                      Entropy (8bit):3.871459242626451
                                                      Encrypted:false
                                                      SSDEEP:3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
                                                      MD5:2BD9B4BE30579E633FC0191AA93DF486
                                                      SHA1:7D63A9BD9662E86666B27C1B50DB8E7370C624FF
                                                      SHA-256:64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
                                                      SHA-512:AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:gorilla botnet is on the device ur not a cat go away.
                                                      Process:/tmp/m68k.nn.elf
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):17
                                                      Entropy (8bit):3.6168746059562227
                                                      Encrypted:false
                                                      SSDEEP:3:TgSC/ANln:TglOn
                                                      MD5:CF5BFD6A623ECC046218AA0EBA4D8FE7
                                                      SHA1:E3F0D3236A8D19B35DB7D7F81FECBA0A5D613E88
                                                      SHA-256:C3A372684D6533CABFEC9940A5B0C21F5CD8C12CE9FECD07DE6D5C5E31C00560
                                                      SHA-512:F2C31F4B0FA981357F508A6C3B32A3DAEDC609FDE9EC704411D022BE11643B7F6EC039421ACB9EDE5334ACA2A7F1068D5B55106F4BF46327A229E2A04D31547B
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:/tmp/m68k.nn.elf.
                                                      File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
                                                      Entropy (8bit):6.407556807023291
                                                      TrID:
                                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                      File name:m68k.nn.elf
                                                      File size:95'600 bytes
                                                      MD5:cc65c4901bad08321dae9a12315b6093
                                                      SHA1:0e521686aa6f7ced3612531c959929f696f6984c
                                                      SHA256:9809efe76a27f9e1ae19d235f8ff88d6e4be3355e2adb1cbfcca9f9db57b2dcd
                                                      SHA512:577ed654c7fa534a68cfc3bad4fcba1900c63d04474fdc6ac5612a26172aa232d06e4e8d42d9ab57d6f68772cadecb378046ec4d21fc6a007fbdf1a9c8c9197c
                                                      SSDEEP:1536:RFLwR5KaNVgS8PjeJq+q4NeHoIo84VzTfxeChfuzX7GrwIymK/v7:RFLg51NVieJq+7NeHoIIfJhWzLCKT
                                                      TLSH:17933BC6F801CE7EF91EE2BE40270509B531A3A156524B26B7A7BD53ED731E80563EC2
                                                      File Content Preview:.ELF.......................D...4..s......4. ...(......................n...n....... .......n...............g....... .dt.Q............................NV..a....da...M.N^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy..n.N.X.........N^NuNV..N^NuN

                                                      ELF header

                                                      Class:ELF32
                                                      Data:2's complement, big endian
                                                      Version:1 (current)
                                                      Machine:MC68000
                                                      Version Number:0x1
                                                      Type:EXEC (Executable file)
                                                      OS/ABI:UNIX - System V
                                                      ABI Version:0
                                                      Entry Point Address:0x80000144
                                                      Flags:0x0
                                                      ELF Header Size:52
                                                      Program Header Offset:52
                                                      Program Header Size:32
                                                      Number of Program Headers:3
                                                      Section Header Offset:95200
                                                      Section Header Size:40
                                                      Number of Section Headers:10
                                                      Header String Table Index:9
                                                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                      NULL0x00x00x00x00x0000
                                                      .initPROGBITS0x800000940x940x140x00x6AX002
                                                      .textPROGBITS0x800000a80xa80x14dba0x00x6AX004
                                                      .finiPROGBITS0x80014e620x14e620xe0x00x6AX002
                                                      .rodataPROGBITS0x80014e700x14e700x203e0x00x2A002
                                                      .ctorsPROGBITS0x80018eb40x16eb40x80x00x3WA004
                                                      .dtorsPROGBITS0x80018ebc0x16ebc0x80x00x3WA004
                                                      .dataPROGBITS0x80018ec80x16ec80x4d80x00x3WA004
                                                      .bssNOBITS0x800193a00x173a00x63100x00x3WA004
                                                      .shstrtabSTRTAB0x00x173a00x3e0x00x0001
                                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                      LOAD0x00x800000000x800000000x16eae0x16eae6.42480x5R E0x2000.init .text .fini .rodata
                                                      LOAD0x16eb40x80018eb40x80018eb40x4ec0x67fc4.75660x6RW 0x2000.ctors .dtors .data .bss
                                                      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                      Download Network PCAP: filteredfull

                                                      • Total Packets: 13
                                                      • 443 (HTTPS)
                                                      • 53 (DNS)
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 26, 2025 19:33:05.670376062 CET48202443192.168.2.13185.125.190.26
                                                      Feb 26, 2025 19:33:15.407742023 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:15.407763004 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:15.407776117 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:15.408062935 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:15.408062935 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:15.408062935 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:15.410634995 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:15.415518045 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:16.124610901 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:16.124950886 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:16.125421047 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:16.134010077 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:16.438323021 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:16.438474894 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:16.440812111 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:16.446185112 CET4435052834.243.160.129192.168.2.13
                                                      Feb 26, 2025 19:33:16.446255922 CET50528443192.168.2.1334.243.160.129
                                                      Feb 26, 2025 19:33:37.414417028 CET48202443192.168.2.13185.125.190.26
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 26, 2025 19:32:58.983110905 CET5839353192.168.2.131.1.1.1
                                                      Feb 26, 2025 19:32:58.983252048 CET4279453192.168.2.131.1.1.1
                                                      Feb 26, 2025 19:32:58.990569115 CET53427941.1.1.1192.168.2.13
                                                      Feb 26, 2025 19:32:59.005965948 CET53583931.1.1.1192.168.2.13
                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Feb 26, 2025 19:32:58.983110905 CET192.168.2.131.1.1.10x3effStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                                      Feb 26, 2025 19:32:58.983252048 CET192.168.2.131.1.1.10x9003Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Feb 26, 2025 19:32:59.005965948 CET1.1.1.1192.168.2.130x3effNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                                      Feb 26, 2025 19:32:59.005965948 CET1.1.1.1192.168.2.130x3effNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                      Feb 26, 2025 19:33:15.407776117 CET34.243.160.129443192.168.2.1350528CN=motd.ubuntu.com CN=R11, O=Let's Encrypt, C=USCN=R11, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USSun Jan 05 09:21:36 CET 2025 Wed Mar 13 01:00:00 CET 2024Sat Apr 05 10:21:35 CEST 2025 Sat Mar 13 00:59:59 CET 2027
                                                      CN=R11, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USWed Mar 13 01:00:00 CET 2024Sat Mar 13 00:59:59 CET 2027

                                                      System Behavior

                                                      Start time (UTC):18:32:56
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/lib/udisks2/udisksd
                                                      Arguments:-
                                                      File size:483056 bytes
                                                      MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                      Start time (UTC):18:32:56
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/sbin/dumpe2fs
                                                      Arguments:dumpe2fs -h /dev/dm-0
                                                      File size:31112 bytes
                                                      MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                      Start time (UTC):18:32:57
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/lib/udisks2/udisksd
                                                      Arguments:-
                                                      File size:483056 bytes
                                                      MD5 hash:1d7ae439cc3d82fa6b127671ce037a24

                                                      Start time (UTC):18:32:57
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/sbin/dumpe2fs
                                                      Arguments:dumpe2fs -h /dev/dm-0
                                                      File size:31112 bytes
                                                      MD5 hash:5c66f7d8f7681a40562cf049ad4b72b4

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/rm
                                                      Arguments:rm -f /tmp/tmp.Mkro99Z9Sh /tmp/tmp.Zu0pFWIQU3 /tmp/tmp.LX4Xwwup40
                                                      File size:72056 bytes
                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/cat
                                                      Arguments:cat /tmp/tmp.Mkro99Z9Sh
                                                      File size:43416 bytes
                                                      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/head
                                                      Arguments:head -n 10
                                                      File size:47480 bytes
                                                      MD5 hash:fd96a67145172477dd57131396fc9608

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/tr
                                                      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                                                      File size:51544 bytes
                                                      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:15
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/cut
                                                      Arguments:cut -c -80
                                                      File size:47480 bytes
                                                      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/cat
                                                      Arguments:cat /tmp/tmp.Mkro99Z9Sh
                                                      File size:43416 bytes
                                                      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/head
                                                      Arguments:head -n 10
                                                      File size:47480 bytes
                                                      MD5 hash:fd96a67145172477dd57131396fc9608

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/tr
                                                      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                                                      File size:51544 bytes
                                                      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/cut
                                                      Arguments:cut -c -80
                                                      File size:47480 bytes
                                                      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/dash
                                                      Arguments:-
                                                      File size:129816 bytes
                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                      Start time (UTC):18:33:16
                                                      Start date (UTC):26/02/2025
                                                      Path:/usr/bin/rm
                                                      Arguments:rm -f /tmp/tmp.Mkro99Z9Sh /tmp/tmp.Zu0pFWIQU3 /tmp/tmp.LX4Xwwup40
                                                      File size:72056 bytes
                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b