Edit tour

Linux Analysis Report
hide.spc.elf

Overview

General Information

Sample name:hide.spc.elf
Analysis ID:1635353
MD5:6ef49668b8f7b301e80b882de6b25b10
SHA1:43c265a768ecd1122d7f5622632cc19791f951f8
SHA256:415b0bc279ee6ef354e9620a22cbcccf087493cad137ebb9b4b1fccdd9e2e5cf
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1635353
Start date and time:2025-03-11 16:01:34 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:hide.spc.elf
Detection:MAL
Classification:mal64.linELF@0/0@0/0
Command:/tmp/hide.spc.elf
PID:5421
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
listening tun0
Standard Error:
  • system is lnxubuntu20
  • hide.spc.elf (PID: 5421, Parent: 5345, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/hide.spc.elf
  • dash New Fork (PID: 5437, Parent: 3579)
  • rm (PID: 5437, Parent: 3579, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.gWe27pALSE /tmp/tmp.oHW7nLEKgf /tmp/tmp.ztIh9ksAxl
  • dash New Fork (PID: 5438, Parent: 3579)
  • cat (PID: 5438, Parent: 3579, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.gWe27pALSE
  • dash New Fork (PID: 5439, Parent: 3579)
  • head (PID: 5439, Parent: 3579, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5440, Parent: 3579)
  • tr (PID: 5440, Parent: 3579, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5441, Parent: 3579)
  • cut (PID: 5441, Parent: 3579, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5442, Parent: 3579)
  • cat (PID: 5442, Parent: 3579, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.gWe27pALSE
  • dash New Fork (PID: 5443, Parent: 3579)
  • head (PID: 5443, Parent: 3579, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5444, Parent: 3579)
  • tr (PID: 5444, Parent: 3579, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5445, Parent: 3579)
  • cut (PID: 5445, Parent: 3579, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5446, Parent: 3579)
  • rm (PID: 5446, Parent: 3579, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.gWe27pALSE /tmp/tmp.oHW7nLEKgf /tmp/tmp.ztIh9ksAxl
  • cleanup
SourceRuleDescriptionAuthorStrings
hide.spc.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xa8a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa904:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa92c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa97c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
SourceRuleDescriptionAuthorStrings
5421.1.00007f61b0011000.00007f61b001d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xa8a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa904:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa92c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa97c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5425.1.00007f61b0011000.00007f61b001d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xa8a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa8f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa904:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa92c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa97c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xa9f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaa30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: hide.spc.elf PID: 5421Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x4a17:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4a2b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4a3f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4a53:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4a67:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4a7b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4a8f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4aa3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4ab7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4acb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4adf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4af3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b07:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b1b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b2f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b43:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b57:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b6b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b7f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b93:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4ba7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: hide.spc.elf PID: 5425Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x44c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x49c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x500:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x514:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x528:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x53c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x550:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x564:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x578:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x58c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: hide.spc.elfAvira: detected
Source: hide.spc.elfVirustotal: Detection: 61%Perma Link
Source: hide.spc.elfReversingLabs: Detection: 60%
Source: unknownHTTPS traffic detected: 34.243.160.129:443 -> 192.168.2.13:50528 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.13:42810 -> 154.18.239.232:9931
Source: /tmp/hide.spc.elf (PID: 5421)Socket: 127.0.0.1:47849Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 34.243.160.129
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownTCP traffic detected without corresponding DNS query: 154.18.239.232
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50528
Source: unknownNetwork traffic detected: HTTP traffic on port 50528 -> 443
Source: unknownHTTPS traffic detected: 34.243.160.129:443 -> 192.168.2.13:50528 version: TLS 1.2

System Summary

barindex
Source: hide.spc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5421.1.00007f61b0011000.00007f61b001d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5425.1.00007f61b0011000.00007f61b001d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hide.spc.elf PID: 5421, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: hide.spc.elf PID: 5425, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: hide.spc.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5421.1.00007f61b0011000.00007f61b001d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5425.1.00007f61b0011000.00007f61b001d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hide.spc.elf PID: 5421, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: hide.spc.elf PID: 5425, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal64.linELF@0/0@0/0
Source: /usr/bin/dash (PID: 5437)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.gWe27pALSE /tmp/tmp.oHW7nLEKgf /tmp/tmp.ztIh9ksAxlJump to behavior
Source: /usr/bin/dash (PID: 5446)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.gWe27pALSE /tmp/tmp.oHW7nLEKgf /tmp/tmp.ztIh9ksAxlJump to behavior
Source: /tmp/hide.spc.elf (PID: 5421)Queries kernel information via 'uname': Jump to behavior
Source: hide.spc.elf, 5421.1.000055a899c2f000.000055a899c94000.rw-.sdmp, hide.spc.elf, 5425.1.000055a899c2f000.000055a899c94000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
Source: hide.spc.elf, 5421.1.000055a899c2f000.000055a899c94000.rw-.sdmp, hide.spc.elf, 5425.1.000055a899c2f000.000055a899c94000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/sparc
Source: hide.spc.elf, 5421.1.00007fff5ec26000.00007fff5ec47000.rw-.sdmp, hide.spc.elf, 5425.1.00007fff5ec26000.00007fff5ec47000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/hide.spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hide.spc.elf
Source: hide.spc.elf, 5421.1.00007fff5ec26000.00007fff5ec47000.rw-.sdmp, hide.spc.elf, 5425.1.00007fff5ec26000.00007fff5ec47000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635353 Sample: hide.spc.elf Startdate: 11/03/2025 Architecture: LINUX Score: 64 20 154.18.239.232, 42810, 42812, 42814 PIRANHA-AS-KRPiranhaSystemsKR United States 2->20 22 34.243.160.129, 443, 50528 AMAZON-02US United States 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 8 hide.spc.elf 2->8         started        10 dash rm 2->10         started        12 dash head 2->12         started        14 8 other processes 2->14 signatures3 process4 process5 16 hide.spc.elf 8->16         started        process6 18 hide.spc.elf 16->18         started       
SourceDetectionScannerLabelLink
hide.spc.elf62%VirustotalBrowse
hide.spc.elf61%ReversingLabsLinux.Backdoor.Mirai
hide.spc.elf100%AviraANDROID/AVE.Mirai.jukrp
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
154.18.239.232
unknownUnited States
38701PIRANHA-AS-KRPiranhaSystemsKRfalse
34.243.160.129
unknownUnited States
16509AMAZON-02USfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
154.18.239.232http://154.18.239.232/hide/hide.mpslGet hashmaliciousUnknownBrowse
  • 154.18.239.232/hide/hide.mpsl
34.243.160.129na.elfGet hashmaliciousPrometeiBrowse
    arm7.nn.elfGet hashmaliciousMiraiBrowse
      m-p.s-l.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
        m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
          zbotx86.elfGet hashmaliciousTsunamiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              Space.i686.elfGet hashmaliciousUnknownBrowse
                armv4l.elfGet hashmaliciousUnknownBrowse
                  main_arm7.elfGet hashmaliciousMiraiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      AMAZON-02UShttp://support.ringcentral.coGet hashmaliciousUnknownBrowse
                      • 54.75.69.192
                      http://support.ringcentral.coGet hashmaliciousUnknownBrowse
                      • 18.245.60.43
                      https://www.tokyo-shoten.or.jp/seinenbu/seinen/lib/af_redirect.php?shop_id=&url=https%3A%2F%2Fgamma.app%2Fdocs%2Falimentosporvenir-nuestro-boletin-y-conoce-todas-las-novedades-d-74tg10bs4maztf4%3Fmode%3Dpresent%23card-6icy8oz92e2b8jcGet hashmaliciousHTMLPhisherBrowse
                      • 18.245.46.55
                      Non-Disclosure Agreement Contract.docxGet hashmaliciousUnknownBrowse
                      • 13.48.119.120
                      https://wlp.godendome.ru/Nh71AZeH/Get hashmaliciousInvisible JS, Tycoon2FABrowse
                      • 13.33.187.120
                      Non-Disclosure Agreement Contract.docxGet hashmaliciousUnknownBrowse
                      • 13.48.36.247
                      https://mailtrack.io/l/2dd407bcf4ec90a1f921fd9bc7e14f6530a18eb6?url=https%3A%2F%2Fbusinessforadvertising-suite.com&u=12216294&signature=60da765357a6c843#user_email=anaelle.cheroutre@roquette.com&fname=Anaelle&lname=CheroutreGet hashmaliciousUnknownBrowse
                      • 52.92.16.248
                      https://gamma.app/docs/Innovative-Industrial-Fabricators-LLC-l9jiky9l79t1mba?mode=present#card-04miadc3h3yvc0wGet hashmaliciousHTMLPhisherBrowse
                      • 18.245.46.55
                      https://getformly.app/KKpGCrGet hashmaliciousInvisible JS, Tycoon2FABrowse
                      • 44.225.207.125
                      phish_alert_sp2_2.0.0.0.emlGet hashmaliciousKnowBe4Browse
                      • 52.216.140.116
                      PIRANHA-AS-KRPiranhaSystemsKRsplarm.elfGet hashmaliciousUnknownBrowse
                      • 154.18.242.45
                      x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                      • 101.250.29.170
                      http://154.18.239.232/hide/hide.mpslGet hashmaliciousUnknownBrowse
                      • 154.18.239.232
                      res.mpsl.elfGet hashmaliciousUnknownBrowse
                      • 101.250.29.177
                      Fantazy.mpsl.elfGet hashmaliciousUnknownBrowse
                      • 14.206.7.247
                      bot.sh4.elfGet hashmaliciousUnknownBrowse
                      • 14.206.54.222
                      sh4.elfGet hashmaliciousMiraiBrowse
                      • 112.213.7.34
                      3.elfGet hashmaliciousUnknownBrowse
                      • 112.213.7.31
                      6.elfGet hashmaliciousUnknownBrowse
                      • 101.250.29.131
                      frosty.ppc.elfGet hashmaliciousMiraiBrowse
                      • 14.206.54.220
                      No context
                      No context
                      No created / dropped files found
                      File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
                      Entropy (8bit):6.106086863238242
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:hide.spc.elf
                      File size:47'392 bytes
                      MD5:6ef49668b8f7b301e80b882de6b25b10
                      SHA1:43c265a768ecd1122d7f5622632cc19791f951f8
                      SHA256:415b0bc279ee6ef354e9620a22cbcccf087493cad137ebb9b4b1fccdd9e2e5cf
                      SHA512:7e2df5c08c25b6c94b206966e694ce7e72483b68370d1e940c64170751792261cef24e068a6cd3587f558cae5ae8ecaab67b5ea649ca4c978ee1b06837503d4a
                      SSDEEP:768:HroRvwno9yT0Fd0/LgKPoPh5bQHFO+7IeJyMwSp:Hruprb4ge85bQlRua
                      TLSH:A0233B25BA361E13C0D1A87561FB4F28B6E546CE26E8C64A7D730E6EFE714446803EF4
                      File Content Preview:.ELF...........................4.........4. ...(...........................................................,........dt.Q................................@..(....@.).................#.....cP..`.....!..... ...@.....".........`......$ ... ...@...........`....

                      ELF header

                      Class:ELF32
                      Data:2's complement, big endian
                      Version:1 (current)
                      Machine:Sparc
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:UNIX - System V
                      ABI Version:0
                      Entry Point Address:0x101a4
                      Flags:0x0
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:46992
                      Section Header Size:40
                      Number of Section Headers:10
                      Header String Table Index:9
                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                      NULL0x00x00x00x00x0000
                      .initPROGBITS0x100940x940x1c0x00x6AX004
                      .textPROGBITS0x100b00xb00xa6ec0x00x6AX004
                      .finiPROGBITS0x1a79c0xa79c0x140x00x6AX004
                      .rodataPROGBITS0x1a7b00xa7b00xd000x00x2A008
                      .ctorsPROGBITS0x2b4b40xb4b40x80x00x3WA004
                      .dtorsPROGBITS0x2b4bc0xb4bc0x80x00x3WA004
                      .dataPROGBITS0x2b4c80xb4c80x2880x00x3WA008
                      .bssNOBITS0x2b7500xb7500x1900x00x3WA004
                      .shstrtabSTRTAB0x00xb7500x3e0x00x0001
                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00x100000x100000xb4b00xb4b06.13370x5R E0x10000.init .text .fini .rodata
                      LOAD0xb4b40x2b4b40x2b4b40x29c0x42c3.76440x6RW 0x10000.ctors .dtors .data .bss
                      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                      Download Network PCAP: filteredfull

                      • Total Packets: 41
                      • 9931 undefined
                      • 443 (HTTPS)
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 11, 2025 16:02:13.873866081 CET428109931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:13.878849983 CET993142810154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:13.878946066 CET428109931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:13.889930010 CET428109931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:13.894654036 CET993142810154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:13.894809008 CET428109931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:13.899523973 CET993142810154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:14.849783897 CET993142810154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:14.850198030 CET428109931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:14.850198030 CET428109931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:14.850868940 CET428129931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:14.855607033 CET993142812154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:14.855679989 CET428129931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:14.855705976 CET428129931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:14.860399961 CET993142812154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:14.860451937 CET428129931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:14.865200996 CET993142812154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:15.888467073 CET993142812154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:15.888684034 CET428129931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:15.888684034 CET428129931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:15.889234066 CET428149931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:15.895082951 CET993142814154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:15.895133018 CET428149931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:15.895147085 CET428149931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:15.901047945 CET993142814154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:15.901091099 CET428149931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:15.907433033 CET993142814154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:16.867831945 CET993142814154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:16.868117094 CET428149931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:16.868117094 CET428149931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:16.868691921 CET428169931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:16.873430014 CET993142816154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:16.873497963 CET428169931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:16.873512983 CET428169931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:16.878187895 CET993142816154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:16.878237963 CET428169931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:16.882914066 CET993142816154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:17.827095985 CET993142816154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:17.827244043 CET428169931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:17.827406883 CET428169931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:17.828074932 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:17.833312988 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:17.833409071 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:17.833409071 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:17.838412046 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:17.838493109 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:17.843751907 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:23.042833090 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:23.042895079 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:23.042934895 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:23.043133020 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:23.043133020 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:23.043559074 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:23.044284105 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:23.049207926 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:23.722179890 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:23.722389936 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:23.722805977 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:23.727549076 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:24.064225912 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:24.064352989 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:24.066498041 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:24.071470022 CET4435052834.243.160.129192.168.2.13
                      Mar 11, 2025 16:02:24.071516991 CET50528443192.168.2.1334.243.160.129
                      Mar 11, 2025 16:02:27.843707085 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:02:27.849277973 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:28.186175108 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:02:28.186249971 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:03:28.241771936 CET428189931192.168.2.13154.18.239.232
                      Mar 11, 2025 16:03:28.246545076 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:03:28.581892014 CET993142818154.18.239.232192.168.2.13
                      Mar 11, 2025 16:03:28.582113028 CET428189931192.168.2.13154.18.239.232
                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                      Mar 11, 2025 16:02:23.042934895 CET34.243.160.129443192.168.2.1350528CN=motd.ubuntu.com CN=R11, O=Let's Encrypt, C=USCN=R11, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USSun Jan 05 09:21:36 CET 2025 Wed Mar 13 01:00:00 CET 2024Sat Apr 05 10:21:35 CEST 2025 Sat Mar 13 00:59:59 CET 2027
                      CN=R11, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USWed Mar 13 01:00:00 CET 2024Sat Mar 13 00:59:59 CET 2027

                      System Behavior

                      Start time (UTC):15:02:12
                      Start date (UTC):11/03/2025
                      Path:/tmp/hide.spc.elf
                      Arguments:/tmp/hide.spc.elf
                      File size:4379400 bytes
                      MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                      Start time (UTC):15:02:12
                      Start date (UTC):11/03/2025
                      Path:/tmp/hide.spc.elf
                      Arguments:-
                      File size:4379400 bytes
                      MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                      Start time (UTC):15:02:12
                      Start date (UTC):11/03/2025
                      Path:/tmp/hide.spc.elf
                      Arguments:-
                      File size:4379400 bytes
                      MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/rm
                      Arguments:rm -f /tmp/tmp.gWe27pALSE /tmp/tmp.oHW7nLEKgf /tmp/tmp.ztIh9ksAxl
                      File size:72056 bytes
                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/cat
                      Arguments:cat /tmp/tmp.gWe27pALSE
                      File size:43416 bytes
                      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/head
                      Arguments:head -n 10
                      File size:47480 bytes
                      MD5 hash:fd96a67145172477dd57131396fc9608

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/tr
                      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                      File size:51544 bytes
                      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/cut
                      Arguments:cut -c -80
                      File size:47480 bytes
                      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/cat
                      Arguments:cat /tmp/tmp.gWe27pALSE
                      File size:43416 bytes
                      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/head
                      Arguments:head -n 10
                      File size:47480 bytes
                      MD5 hash:fd96a67145172477dd57131396fc9608

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/tr
                      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                      File size:51544 bytes
                      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/cut
                      Arguments:cut -c -80
                      File size:47480 bytes
                      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):15:02:23
                      Start date (UTC):11/03/2025
                      Path:/usr/bin/rm
                      Arguments:rm -f /tmp/tmp.gWe27pALSE /tmp/tmp.oHW7nLEKgf /tmp/tmp.ztIh9ksAxl
                      File size:72056 bytes
                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b