Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1639666
MD5:6286f73879f3d70d467d0a82ca4ae60a
SHA1:ec2b368ef4eec98a4634a5c3a50deaa2300f51ea
SHA256:5f95dcf28055850254b498d149bc79f880414b3fb6876bd9fb9db30ee3910699
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1639666
Start date and time:2025-03-16 02:36:27 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal56.troj.linELF@0/2@1/0
Command:/tmp/arm6.elf
PID:6285
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm6.elf (PID: 6285, Parent: 6210, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
    • arm6.elf New Fork (PID: 6287, Parent: 6285)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm6.elfVirustotal: Detection: 9%Perma Link

Networking

barindex
Source: global trafficTCP traffic: 154.205.155.97 ports 0,1,3,30751,5,7
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.23:55392 -> 154.205.155.97:30751
Source: global trafficUDP traffic: 192.168.2.23:56791 -> 74.125.250.129:19302
Source: /tmp/arm6.elf (PID: 6287)Socket: 127.0.0.1:22448Jump to behavior
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal56.troj.linELF@0/2@1/0
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/6232/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1582/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/3088/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1579/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1699/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1335/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1698/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1334/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1576/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/2302/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/910/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/912/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/4722/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/2307/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/918/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/6121/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1594/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1349/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1344/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1465/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1586/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1463/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/801/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1900/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/491/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/252/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/253/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/254/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/255/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/256/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1599/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/257/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1477/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/379/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1476/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1475/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/936/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/30/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/2208/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/35/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/6269/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/1809/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)File opened: /proc/4520/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 6285)Queries kernel information via 'uname': Jump to behavior
Source: arm6.elf, 6285.1.00007ffdfcd61000.00007ffdfcd82000.rw-.sdmpBinary or memory string: /tmp/qemu-open.bsnfQr
Source: arm6.elf, 6285.1.00007fab84035000.00007fab8403b000.rw-.sdmpBinary or memory string: vmware
Source: arm6.elf, 6285.1.00007fab84035000.00007fab8403b000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm6.elf, 6285.1.00007ffdfcd61000.00007ffdfcd82000.rw-.sdmpBinary or memory string: dx86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
Source: arm6.elf, 6285.1.0000557a32c0a000.0000557a32d59000.rw-.sdmpBinary or memory string: 2zU!/etc/qemu-binfmt/arm
Source: arm6.elf, 6285.1.0000557a32c0a000.0000557a32d59000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm6.elf, 6285.1.00007ffdfcd61000.00007ffdfcd82000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm6.elf, 6285.1.00007ffdfcd61000.00007ffdfcd82000.rw-.sdmpBinary or memory string: j/zU/tmp/qemu-open.bsnfQr:
Source: arm6.elf, 6285.1.00007fab84035000.00007fab8403b000.rw-.sdmpBinary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639666 Sample: arm6.elf Startdate: 16/03/2025 Architecture: LINUX Score: 56 11 stun.l.google.com 2->11 13 154.205.155.97, 30751, 55392 IKGUL-26484US Seychelles 2->13 15 4 other IPs or domains 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Connects to many ports of the same IP (likely port scanning) 2->19 7 arm6.elf 2->7         started        signatures3 21 Uses STUN server to do NAT traversial 11->21 process4 process5 9 arm6.elf 7->9         started       
SourceDetectionScannerLabelLink
arm6.elf9%VirustotalBrowse
arm6.elf11%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    154.205.155.97
    unknownSeychelles
    26484IKGUL-26484UStrue
    74.125.250.129
    stun.l.google.comUnited States
    15169GOOGLEUSfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
    • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
    154.205.155.97nimips.elfGet hashmaliciousUnknownBrowse
      mips.elfGet hashmaliciousUnknownBrowse
        arm.elfGet hashmaliciousUnknownBrowse
          mpsl.elfGet hashmaliciousUnknownBrowse
            91.189.91.43arm5.elfGet hashmaliciousUnknownBrowse
              sh4.elfGet hashmaliciousUnknownBrowse
                miner.elfGet hashmaliciousUnknownBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            .i.elfGet hashmaliciousUnknownBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                91.189.91.42arm5.elfGet hashmaliciousUnknownBrowse
                                  sh4.elfGet hashmaliciousUnknownBrowse
                                    sshd.elfGet hashmaliciousUnknownBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        .i.elfGet hashmaliciousUnknownBrowse
                                          miner.elfGet hashmaliciousUnknownBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CANONICAL-ASGBarm5.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    sh4.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    sshd.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    .i.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    miner.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    CANONICAL-ASGBarm5.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    sh4.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    sshd.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    .i.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    miner.elfGet hashmaliciousUnknownBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 91.189.91.42
                                                    IKGUL-26484USKKveTTgaAAsecNNaaaa.i686.elfGet hashmaliciousUnknownBrowse
                                                    • 156.235.27.101
                                                    nimips.elfGet hashmaliciousUnknownBrowse
                                                    • 154.205.155.97
                                                    resgod.m68k.elfGet hashmaliciousMiraiBrowse
                                                    • 156.249.231.151
                                                    resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                                    • 156.249.231.183
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 154.205.155.97
                                                    arm.elfGet hashmaliciousUnknownBrowse
                                                    • 154.205.155.97
                                                    aarch64.elfGet hashmaliciousUnknownBrowse
                                                    • 154.205.157.159
                                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                                    • 154.205.155.97
                                                    cbr.arm5.elfGet hashmaliciousMiraiBrowse
                                                    • 156.249.231.178
                                                    tmips.elfGet hashmaliciousUnknownBrowse
                                                    • 156.238.135.163
                                                    INIT7CHarm5.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    sh4.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    sshd.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    .i.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    miner.elfGet hashmaliciousUnknownBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                    • 109.202.202.202
                                                    No context
                                                    No context
                                                    Process:/tmp/arm6.elf
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14
                                                    Entropy (8bit):3.521640636343319
                                                    Encrypted:false
                                                    SSDEEP:3:Tgj03:Tgw3
                                                    MD5:3F57B2990E079DDED19A289B2C2D9845
                                                    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                                                    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                                                    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:/tmp/arm6.elf.
                                                    Process:/tmp/arm6.elf
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):14
                                                    Entropy (8bit):3.521640636343319
                                                    Encrypted:false
                                                    SSDEEP:3:Tgj03:Tgw3
                                                    MD5:3F57B2990E079DDED19A289B2C2D9845
                                                    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                                                    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                                                    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:/tmp/arm6.elf.
                                                    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                                                    Entropy (8bit):6.115303143710904
                                                    TrID:
                                                    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                    File name:arm6.elf
                                                    File size:88'544 bytes
                                                    MD5:6286f73879f3d70d467d0a82ca4ae60a
                                                    SHA1:ec2b368ef4eec98a4634a5c3a50deaa2300f51ea
                                                    SHA256:5f95dcf28055850254b498d149bc79f880414b3fb6876bd9fb9db30ee3910699
                                                    SHA512:51f31ec7b18bf78faf88558c0871cc00fdd57a41856e05d4f4f0f5bc04ae39f9c9eba9d26810d23c588626d2bcf493417d775600bc8fe792194101ab580b3869
                                                    SSDEEP:1536:EenuniCE4Lt7FqsS84xoYFPuT7VcFXoaYG6hr2PvT3OD8++3zC+RzLro/:0il4Lt7YxoePIS6Bhr2aD/ezV/o
                                                    TLSH:DB831846B8409B2AC5D017BEFE1E528D33232FB8E3DE32029D156B2577DB95A0E3B451
                                                    File Content Preview:.ELF..............(.....l...4....W......4. ...(........p.U...........................................V...V...............V...V...V......$G..........Q.td.............................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

                                                    ELF header

                                                    Class:ELF32
                                                    Data:2's complement, little endian
                                                    Version:1 (current)
                                                    Machine:ARM
                                                    Version Number:0x1
                                                    Type:EXEC (Executable file)
                                                    OS/ABI:UNIX - System V
                                                    ABI Version:0
                                                    Entry Point Address:0x816c
                                                    Flags:0x4000002
                                                    ELF Header Size:52
                                                    Program Header Offset:52
                                                    Program Header Size:32
                                                    Number of Program Headers:4
                                                    Section Header Offset:88024
                                                    Section Header Size:40
                                                    Number of Section Headers:13
                                                    Header String Table Index:12
                                                    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                    NULL0x00x00x00x00x0000
                                                    .initPROGBITS0x80b40xb40x140x00x6AX001
                                                    .textPROGBITS0x80c80xc80x140a80x00x6AX004
                                                    .finiPROGBITS0x1c1700x141700x140x00x6AX001
                                                    .rodataPROGBITS0x1c1880x141880x14580x00x2A008
                                                    .ARM.exidxARM_EXIDX0x1d5e00x155e00xc80x00x82AL204
                                                    .eh_framePROGBITS0x256a80x156a80x40x00x3WA004
                                                    .init_arrayINIT_ARRAY0x256ac0x156ac0x40x00x3WA004
                                                    .fini_arrayFINI_ARRAY0x256b00x156b00x40x00x3WA004
                                                    .gotPROGBITS0x256b80x156b80x280x40x3WA004
                                                    .dataPROGBITS0x256e00x156e00x940x00x3WA004
                                                    .bssNOBITS0x257780x157740x46540x00x3WA008
                                                    .shstrtabSTRTAB0x00x157740x620x00x0001
                                                    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                    EXIDX0x155e00x1d5e00x1d5e00xc80xc84.26760x4R 0x4.ARM.exidx
                                                    LOAD0x00x80000x80000x156a80x156a86.12730x5R E0x8000.init .text .fini .rodata .ARM.exidx
                                                    LOAD0x156a80x256a80x256a80xcc0x47243.54440x6RW 0x8000.eh_frame .init_array .fini_array .got .data .bss
                                                    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                    Download Network PCAP: filteredfull

                                                    • Total Packets: 25
                                                    • 30751 undefined
                                                    • 19302 undefined
                                                    • 443 (HTTPS)
                                                    • 80 (HTTP)
                                                    • 53 (DNS)
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 16, 2025 02:37:32.672538042 CET43928443192.168.2.2391.189.91.42
                                                    Mar 16, 2025 02:37:33.624716997 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:37:33.629513979 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:37:33.629650116 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:37:34.211220026 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:37:34.211347103 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:37:34.299360991 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:37:34.299549103 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:37:38.047920942 CET42836443192.168.2.2391.189.91.43
                                                    Mar 16, 2025 02:37:39.684118986 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:37:39.688915014 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:37:46.777801991 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:37:46.778109074 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:37:53.149837017 CET43928443192.168.2.2391.189.91.42
                                                    Mar 16, 2025 02:37:59.293088913 CET4251680192.168.2.23109.202.202.202
                                                    Mar 16, 2025 02:38:01.792449951 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:38:01.797838926 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:01.797904968 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:38:01.803947926 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:05.436141968 CET42836443192.168.2.2391.189.91.43
                                                    Mar 16, 2025 02:38:21.699794054 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:38:21.704554081 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:21.704627991 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:38:21.709333897 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:34.104197979 CET43928443192.168.2.2391.189.91.42
                                                    Mar 16, 2025 02:38:39.560969114 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:38:39.565725088 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:39.565789938 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:38:39.570378065 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:46.879168034 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:38:46.879292011 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:39:01.892668962 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:39:01.898190022 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:39:01.898258924 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:39:01.902901888 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:39:21.905864954 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:39:21.910617113 CET3075155392154.205.155.97192.168.2.23
                                                    Mar 16, 2025 02:39:21.910686016 CET5539230751192.168.2.23154.205.155.97
                                                    Mar 16, 2025 02:39:21.915339947 CET3075155392154.205.155.97192.168.2.23
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 16, 2025 02:37:34.639908075 CET4042053192.168.2.238.8.8.8
                                                    Mar 16, 2025 02:37:34.649274111 CET53404208.8.8.8192.168.2.23
                                                    Mar 16, 2025 02:37:34.649770021 CET5679119302192.168.2.2374.125.250.129
                                                    Mar 16, 2025 02:37:35.135612011 CET193025679174.125.250.129192.168.2.23
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Mar 16, 2025 02:37:34.639908075 CET192.168.2.238.8.8.80x9706Standard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Mar 16, 2025 02:37:34.649274111 CET8.8.8.8192.168.2.230x9706No error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                                                    System Behavior

                                                    Start time (UTC):01:37:32
                                                    Start date (UTC):16/03/2025
                                                    Path:/tmp/arm6.elf
                                                    Arguments:-
                                                    File size:4956856 bytes
                                                    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1