Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1635731
MD5:1dced10358af14f5103c42e78a590334
SHA1:46dbd5a25e1aa7816a77c00e468f0d439bdb11e2
SHA256:bacd5592d06965a814d3ac9258ee442d2f8bd8bef545f06e0395f698dc4a22b1
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Connects to many ports of the same IP (likely port scanning)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1635731
Start date and time:2025-03-11 23:15:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 47s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal48.troj.linELF@0/2@2/0
Command:/tmp/arm6.elf
PID:5533
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm6.elf (PID: 5533, Parent: 5451, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
    • arm6.elf New Fork (PID: 5535, Parent: 5533)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Networking

barindex
Source: global trafficTCP traffic: 156.244.14.93 ports 56190,0,1,5,6,9
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.14:43756 -> 156.244.14.93:56190
Source: global trafficTCP traffic: 192.168.2.14:48730 -> 156.244.6.124:12016
Source: global trafficUDP traffic: 192.168.2.14:36914 -> 74.125.250.129:19302
Source: /tmp/arm6.elf (PID: 5535)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.6.124
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.troj.linELF@0/2@2/0
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1583/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/2672/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1577/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3752/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3753/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3754/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3755/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1593/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3094/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3406/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1589/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3402/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/801/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/806/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/807/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/928/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/131/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/252/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/253/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/254/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/255/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/135/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/256/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1599/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/257/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/378/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/3412/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/30/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/35/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/1371/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/260/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/261/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)File opened: /proc/262/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5533)Queries kernel information via 'uname': Jump to behavior
Source: arm6.elf, 5533.1.00007ffd086ac000.00007ffd086cd000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.XqpywB:e
Source: arm6.elf, 5533.1.00007f5794035000.00007f579403b000.rw-.sdmpBinary or memory string: vmware
Source: arm6.elf, 5533.1.000055ea8d098000.000055ea8d1e7000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: arm6.elf, 5533.1.00007f5794035000.00007f579403b000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm6.elf, 5533.1.000055ea8d098000.000055ea8d1e7000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm6.elf, 5533.1.00007ffd086ac000.00007ffd086cd000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm6.elf, 5533.1.00007f5794035000.00007f579403b000.rw-.sdmpBinary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a1gCWFxqAHsFWFEWR3RJ!!a1gAWFxuAXsFXkgJQHcA!!a1gAWFxuAXsCQ1cKQgAA!!blgYR1tpG2QGWEgNQwAA!!a1kHWF9sAXsBX0gKR3AA!!qemu-armXsBX0gKR3AA!
Source: arm6.elf, 5533.1.00007ffd086ac000.00007ffd086cd000.rw-.sdmpBinary or memory string: /tmp/qemu-open.XqpywB
Source: arm6.elf, 5533.1.00007ffd086ac000.00007ffd086cd000.rw-.sdmpBinary or memory string: Qx86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635731 Sample: arm6.elf Startdate: 11/03/2025 Architecture: LINUX Score: 48 11 stun.l.google.com 2->11 13 156.244.14.93, 43756, 56190 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 2->13 15 2 other IPs or domains 2->15 17 Connects to many ports of the same IP (likely port scanning) 2->17 7 arm6.elf 2->7         started        signatures3 19 Uses STUN server to do NAT traversial 11->19 process4 process5 9 arm6.elf 7->9         started       
SourceDetectionScannerLabelLink
arm6.elf11%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    156.244.6.124
    unknownSeychelles
    132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
    156.244.14.93
    unknownSeychelles
    132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
    74.125.250.129
    stun.l.google.comUnited States
    15169GOOGLEUSfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    156.244.6.124arm6.elfGet hashmaliciousUnknownBrowse
      arm7.elfGet hashmaliciousUnknownBrowse
        m68k.elfGet hashmaliciousUnknownBrowse
          arm6.elfGet hashmaliciousUnknownBrowse
            arm.elfGet hashmaliciousUnknownBrowse
              spc.elfGet hashmaliciousUnknownBrowse
                arm5.elfGet hashmaliciousUnknownBrowse
                  i686.elfGet hashmaliciousUnknownBrowse
                    arm.elfGet hashmaliciousUnknownBrowse
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      POWERLINE-AS-APPOWERLINEDATACENTERHKpesanan09900011.exeGet hashmaliciousFormBookBrowse
                      • 154.213.39.66
                      tnZI8EzSx3.exeGet hashmaliciousFormBookBrowse
                      • 45.202.215.234
                      Anpy55Zkwp.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      IfmB4tGS4L.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      zzSk99EqY0.exeGet hashmaliciousFormBookBrowse
                      • 45.202.215.234
                      oVGdMZK3kA.exeGet hashmaliciousFormBookBrowse
                      • 154.215.72.110
                      QS1BxkXZoD.exeGet hashmaliciousFormBookBrowse
                      • 45.202.215.234
                      OVERSEA 1232-3102025.exeGet hashmaliciousFormBookBrowse
                      • 154.215.72.110
                      Fax-03-10-2025-doc.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      uc8ECO2BBU.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      POWERLINE-AS-APPOWERLINEDATACENTERHKpesanan09900011.exeGet hashmaliciousFormBookBrowse
                      • 154.213.39.66
                      tnZI8EzSx3.exeGet hashmaliciousFormBookBrowse
                      • 45.202.215.234
                      Anpy55Zkwp.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      IfmB4tGS4L.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      zzSk99EqY0.exeGet hashmaliciousFormBookBrowse
                      • 45.202.215.234
                      oVGdMZK3kA.exeGet hashmaliciousFormBookBrowse
                      • 154.215.72.110
                      QS1BxkXZoD.exeGet hashmaliciousFormBookBrowse
                      • 45.202.215.234
                      OVERSEA 1232-3102025.exeGet hashmaliciousFormBookBrowse
                      • 154.215.72.110
                      Fax-03-10-2025-doc.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      uc8ECO2BBU.exeGet hashmaliciousFormBookBrowse
                      • 45.127.126.183
                      No context
                      No context
                      Process:/tmp/arm6.elf
                      File Type:data
                      Category:dropped
                      Size (bytes):14
                      Entropy (8bit):3.521640636343319
                      Encrypted:false
                      SSDEEP:3:Tgj03:Tgw3
                      MD5:3F57B2990E079DDED19A289B2C2D9845
                      SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                      SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                      SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                      Malicious:false
                      Reputation:low
                      Preview:/tmp/arm6.elf.
                      Process:/tmp/arm6.elf
                      File Type:data
                      Category:dropped
                      Size (bytes):14
                      Entropy (8bit):3.521640636343319
                      Encrypted:false
                      SSDEEP:3:Tgj03:Tgw3
                      MD5:3F57B2990E079DDED19A289B2C2D9845
                      SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                      SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                      SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                      Malicious:false
                      Reputation:low
                      Preview:/tmp/arm6.elf.
                      File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                      Entropy (8bit):6.113631207191804
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:arm6.elf
                      File size:88'312 bytes
                      MD5:1dced10358af14f5103c42e78a590334
                      SHA1:46dbd5a25e1aa7816a77c00e468f0d439bdb11e2
                      SHA256:bacd5592d06965a814d3ac9258ee442d2f8bd8bef545f06e0395f698dc4a22b1
                      SHA512:dd6a51ce8967c04260aac6a1699a4c5e30080eedd2b5de4171db06087647cf62345908bff758e6a2e42ffe4f28b4b39f9d5d2ca538ca39f3d7803b7d7c4ba91f
                      SSDEEP:1536:r0noz3VHZt0gR/ccXRkUYFPbD7DcFXY2Y+/hr2IrRhOi8bg2KCqtyWro:T7VHZt02kUePPEqAhr2diqtKoeo
                      TLSH:ED831846B8419B26D6D016BEFE1E428D33232FB8E3DE3202AD15AB2577DF54A0D3B451
                      File Content Preview:.ELF..............(.....l...4....V......4. ...(........p.T...........................................U...U...............U...U...U......$G..........Q.td.............................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

                      ELF header

                      Class:ELF32
                      Data:2's complement, little endian
                      Version:1 (current)
                      Machine:ARM
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:UNIX - System V
                      ABI Version:0
                      Entry Point Address:0x816c
                      Flags:0x4000002
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:4
                      Section Header Offset:87792
                      Section Header Size:40
                      Number of Section Headers:13
                      Header String Table Index:12
                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                      NULL0x00x00x00x00x0000
                      .initPROGBITS0x80b40xb40x140x00x6AX001
                      .textPROGBITS0x80c80xc80x13fcc0x00x6AX004
                      .finiPROGBITS0x1c0940x140940x140x00x6AX001
                      .rodataPROGBITS0x1c0a80x140a80x14500x00x2A008
                      .ARM.exidxARM_EXIDX0x1d4f80x154f80xc80x00x82AL204
                      .eh_framePROGBITS0x255c00x155c00x40x00x3WA004
                      .init_arrayINIT_ARRAY0x255c40x155c40x40x00x3WA004
                      .fini_arrayFINI_ARRAY0x255c80x155c80x40x00x3WA004
                      .gotPROGBITS0x255d00x155d00x280x40x3WA004
                      .dataPROGBITS0x255f80x155f80x940x00x3WA004
                      .bssNOBITS0x256900x1568c0x46540x00x3WA008
                      .shstrtabSTRTAB0x00x1568c0x620x00x0001
                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      EXIDX0x154f80x1d4f80x1d4f80xc80xc84.29110x4R 0x4.ARM.exidx
                      LOAD0x00x80000x80000x155c00x155c06.12570x5R E0x8000.init .text .fini .rodata .ARM.exidx
                      LOAD0x155c00x255c00x255c00xcc0x47243.48780x6RW 0x8000.eh_frame .init_array .fini_array .got .data .bss
                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                      Download Network PCAP: filteredfull

                      • Total Packets: 27
                      • 56190 undefined
                      • 19302 undefined
                      • 12016 undefined
                      • 53 (DNS)
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 11, 2025 23:16:10.972656012 CET4375656190192.168.2.14156.244.14.93
                      Mar 11, 2025 23:16:10.977617025 CET5619043756156.244.14.93192.168.2.14
                      Mar 11, 2025 23:16:10.977771997 CET4375656190192.168.2.14156.244.14.93
                      Mar 11, 2025 23:16:11.645320892 CET5619043756156.244.14.93192.168.2.14
                      Mar 11, 2025 23:16:11.645466089 CET4375656190192.168.2.14156.244.14.93
                      Mar 11, 2025 23:16:11.770035982 CET5619043756156.244.14.93192.168.2.14
                      Mar 11, 2025 23:16:11.770142078 CET4375656190192.168.2.14156.244.14.93
                      Mar 11, 2025 23:16:15.621653080 CET4375656190192.168.2.14156.244.14.93
                      Mar 11, 2025 23:16:15.626449108 CET5619043756156.244.14.93192.168.2.14
                      Mar 11, 2025 23:16:15.794425964 CET5619043756156.244.14.93192.168.2.14
                      Mar 11, 2025 23:16:15.794751883 CET4375656190192.168.2.14156.244.14.93
                      Mar 11, 2025 23:16:15.799535036 CET5619043756156.244.14.93192.168.2.14
                      Mar 11, 2025 23:16:16.796500921 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:16.801213026 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:16.801282883 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:17.860909939 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:17.860997915 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:18.201637983 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:18.201813936 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:21.588629007 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:21.593301058 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:36.591694117 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:36.596654892 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:36.596702099 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:36.601358891 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:56.603718042 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:56.608422995 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:56.608494997 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:16:56.613173008 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:59.163049936 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:16:59.163186073 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:16.621201992 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:16.625914097 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:17:16.625963926 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:16.630640984 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:17:34.734934092 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:34.739686966 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:17:34.739752054 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:34.744421959 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:17:52.526182890 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:52.531016111 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:17:52.531092882 CET4873012016192.168.2.14156.244.6.124
                      Mar 11, 2025 23:17:52.535804033 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:18:09.262878895 CET1201648730156.244.6.124192.168.2.14
                      Mar 11, 2025 23:18:09.263026953 CET4873012016192.168.2.14156.244.6.124
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 11, 2025 23:16:12.008850098 CET4990053192.168.2.148.8.8.8
                      Mar 11, 2025 23:16:12.025398016 CET53499008.8.8.8192.168.2.14
                      Mar 11, 2025 23:16:12.025878906 CET3691419302192.168.2.1474.125.250.129
                      Mar 11, 2025 23:16:12.496870995 CET193023691474.125.250.129192.168.2.14
                      Mar 11, 2025 23:16:17.798469067 CET5722053192.168.2.148.8.8.8
                      Mar 11, 2025 23:16:17.807512999 CET53572208.8.8.8192.168.2.14
                      Mar 11, 2025 23:16:17.807668924 CET5937919302192.168.2.1474.125.250.129
                      Mar 11, 2025 23:16:18.255758047 CET193025937974.125.250.129192.168.2.14
                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 11, 2025 23:16:12.008850098 CET192.168.2.148.8.8.80xf02fStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                      Mar 11, 2025 23:16:17.798469067 CET192.168.2.148.8.8.80x861cStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 11, 2025 23:16:12.025398016 CET8.8.8.8192.168.2.140xf02fNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false
                      Mar 11, 2025 23:16:17.807512999 CET8.8.8.8192.168.2.140x861cNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                      System Behavior

                      Start time (UTC):22:16:09
                      Start date (UTC):11/03/2025
                      Path:/tmp/arm6.elf
                      Arguments:-
                      File size:4956856 bytes
                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1