Edit tour

Linux Analysis Report
aarch64.elf

Overview

General Information

Sample name:aarch64.elf
Analysis ID:1639680
MD5:66e355a69e468e3aa68106b80cbf6bf7
SHA1:b037f3db8c03a76d19a9b2b0184cccf71fe95a4a
SHA256:8fbdb5a6465be5957cbacc7384cd3efb2e466354e7a4b9dd06828fd3d3925ab0
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Connects to many ports of the same IP (likely port scanning)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1639680
Start date and time:2025-03-16 02:40:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:aarch64.elf
Detection:MAL
Classification:mal48.troj.linELF@0/2@3/0
Command:/tmp/aarch64.elf
PID:5579
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • aarch64.elf (PID: 5579, Parent: 5491, MD5: 02e8e39e1b46472a60d128a6da84a2b8) Arguments: /tmp/aarch64.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

Networking

barindex
Source: global trafficTCP traffic: 154.205.155.243 ports 5102,40237,0,2,3,4,7
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.14:45410 -> 154.205.155.243:40237
Source: global trafficTCP traffic: 192.168.2.14:37532 -> 156.244.14.93:12016
Source: global trafficUDP traffic: 192.168.2.14:58247 -> 74.125.250.129:19302
Source: /tmp/aarch64.elf (PID: 5581)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.243
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.troj.linELF@0/2@3/0
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3760/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3761/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1583/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/2672/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3759/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1577/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3758/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1593/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3094/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3406/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1589/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3402/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/801/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/806/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/807/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/928/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/131/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/252/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/253/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/254/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/255/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/135/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/256/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1599/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/257/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/378/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/3412/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/30/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/35/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/1371/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/260/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/261/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)File opened: /proc/262/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5579)Queries kernel information via 'uname': Jump to behavior
Source: aarch64.elf, 5579.1.000055b15b4fe000.000055b15b5c9000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/aarch64
Source: aarch64.elf, 5579.1.0000000000425000.0000000000432000.rw-.sdmpBinary or memory string: vmware
Source: aarch64.elf, 5579.1.0000000000425000.0000000000432000.rw-.sdmpBinary or memory string: qemu-arm
Source: aarch64.elf, 5579.1.000055b15b4fe000.000055b15b5c9000.rw-.sdmpBinary or memory string: U1/etc/qemu-binfmt/aarch64O
Source: aarch64.elf, 5579.1.0000000000425000.0000000000432000.rw-.sdmpBinary or memory string: BWcDwXR44ZAkzslsN0 a1gCWFxqAHsFWFMWT3YA!a1gAWFxuAXsFWUgBRQAA!a1gAWFxuAXsAWUgKRXgA!a1gAWFxuAXsAWEgJR3IA!a10CWFxuAHsGWVcWQHAA!a10CWFxuAHsGWVcWQHUA!aFwAWF9uA3sGW0gLRgAA!aFwAWFlpG2QBW0gJTwAA!qemu-arm2QBW0gJTwAA!vmware!/bin/bash!/bin/dash!/bin/shh!/proc/mountsa
Source: aarch64.elf, 5579.1.00007ffff57fb000.00007ffff581c000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-aarch64/tmp/aarch64.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/aarch64.elf
Source: aarch64.elf, 5579.1.00007ffff57fb000.00007ffff581c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-aarch64
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639680 Sample: aarch64.elf Startdate: 16/03/2025 Architecture: LINUX Score: 48 11 stun.l.google.com 2->11 13 154.205.155.243, 40237, 45410, 48750 IKGUL-26484US Seychelles 2->13 15 2 other IPs or domains 2->15 17 Connects to many ports of the same IP (likely port scanning) 2->17 7 aarch64.elf 2->7         started        signatures3 19 Uses STUN server to do NAT traversial 11->19 process4 process5 9 aarch64.elf 7->9         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
aarch64.elf6%VirustotalBrowse
aarch64.elf8%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    154.205.155.243
    unknownSeychelles
    26484IKGUL-26484UStrue
    156.244.14.93
    unknownSeychelles
    132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
    74.125.250.129
    stun.l.google.comUnited States
    15169GOOGLEUSfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    154.205.155.243nimips.elfGet hashmaliciousUnknownBrowse
      156.244.14.93sh4.elfGet hashmaliciousUnknownBrowse
        nimips.elfGet hashmaliciousUnknownBrowse
          arm6.elfGet hashmaliciousUnknownBrowse
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            IKGUL-26484USarm6.elfGet hashmaliciousUnknownBrowse
            • 154.205.155.97
            KKveTTgaAAsecNNaaaa.i686.elfGet hashmaliciousUnknownBrowse
            • 156.235.27.101
            nimips.elfGet hashmaliciousUnknownBrowse
            • 154.205.155.97
            resgod.m68k.elfGet hashmaliciousMiraiBrowse
            • 156.249.231.151
            resgod.arm5.elfGet hashmaliciousMiraiBrowse
            • 156.249.231.183
            mips.elfGet hashmaliciousUnknownBrowse
            • 154.205.155.97
            arm.elfGet hashmaliciousUnknownBrowse
            • 154.205.155.97
            aarch64.elfGet hashmaliciousUnknownBrowse
            • 154.205.157.159
            mpsl.elfGet hashmaliciousUnknownBrowse
            • 154.205.155.97
            cbr.arm5.elfGet hashmaliciousMiraiBrowse
            • 156.249.231.178
            POWERLINE-AS-APPOWERLINEDATACENTERHKsh4.elfGet hashmaliciousUnknownBrowse
            • 156.244.14.93
            ppc.elfGet hashmaliciousUnknownBrowse
            • 156.244.45.113
            arm.elfGet hashmaliciousUnknownBrowse
            • 156.244.45.113
            KKveTTgaAAsecNNaaaa.x86.elfGet hashmaliciousUnknownBrowse
            • 147.78.152.244
            boatnet.mips.elfGet hashmaliciousMiraiBrowse
            • 156.253.227.112
            boatnet.ppc.elfGet hashmaliciousMiraiBrowse
            • 156.253.227.112
            boatnet.m68k.elfGet hashmaliciousMiraiBrowse
            • 156.253.227.112
            boatnet.sh4.elfGet hashmaliciousMiraiBrowse
            • 156.253.227.112
            boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
            • 156.253.227.112
            boatnet.spc.elfGet hashmaliciousMiraiBrowse
            • 156.253.227.112
            No context
            No context
            Process:/tmp/aarch64.elf
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):17
            Entropy (8bit):3.8521687236032816
            Encrypted:false
            SSDEEP:3:Tg80l:Tg8c
            MD5:6EA4D0DB8D845A86C7B09CF0667A2CB5
            SHA1:CE980AAA61B3974BA1C86B48D56CAA6A2BE3E9A1
            SHA-256:9AA96AD31F9C5CB1D9FAA1939C33156D29F6EB7FF422C58541452493FEA19ECD
            SHA-512:A43E0EF92BDE7860BB256540693113AE6594F12017132F7408425FC03074FFE05121C4320FD6126F66802528583AB7A54D3FABBA3E70EB1D9DABFA816EBAFFD9
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:/tmp/aarch64.elf.
            Process:/tmp/aarch64.elf
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):17
            Entropy (8bit):3.8521687236032816
            Encrypted:false
            SSDEEP:3:Tg80l:Tg8c
            MD5:6EA4D0DB8D845A86C7B09CF0667A2CB5
            SHA1:CE980AAA61B3974BA1C86B48D56CAA6A2BE3E9A1
            SHA-256:9AA96AD31F9C5CB1D9FAA1939C33156D29F6EB7FF422C58541452493FEA19ECD
            SHA-512:A43E0EF92BDE7860BB256540693113AE6594F12017132F7408425FC03074FFE05121C4320FD6126F66802528583AB7A54D3FABBA3E70EB1D9DABFA816EBAFFD9
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:/tmp/aarch64.elf.
            File type:ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
            Entropy (8bit):6.395986722300879
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:aarch64.elf
            File size:83'840 bytes
            MD5:66e355a69e468e3aa68106b80cbf6bf7
            SHA1:b037f3db8c03a76d19a9b2b0184cccf71fe95a4a
            SHA256:8fbdb5a6465be5957cbacc7384cd3efb2e466354e7a4b9dd06828fd3d3925ab0
            SHA512:f47ef1a35d34d884ce965caf08a8ecee466374d10b0eccc5b99dee21934e97802d364e264cbd33f78b44fab6bf09772d4502f26a1382b6bef2ca69cbb1f7b146
            SSDEEP:1536:mmBLzjeRlQlvD4oTeEisVJCLtjXkNsgI:DLzDl74oTeEi1XaJI
            TLSH:A8838DB8790F7D91D3C7D379DE558A72712F74E0C3B192A4BE12932EC0D39AA8AD0491
            File Content Preview:.ELF......................@.....@........D..........@.8...@.......................@.......@......7.......7.......................?.......?B......?B..... ................................?.......?B......?B.............................Q.td...................

            ELF header

            Class:ELF64
            Data:2's complement, little endian
            Version:1 (current)
            Machine:AArch64
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - System V
            ABI Version:0
            Entry Point Address:0x400990
            Flags:0x0
            ELF Header Size:64
            Program Header Offset:64
            Program Header Size:56
            Number of Program Headers:4
            Section Header Offset:83072
            Section Header Size:64
            Number of Section Headers:12
            Header String Table Index:11
            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
            NULL0x00x00x00x00x0000
            .initPROGBITS0x4001580x1580x100x00x6AX004
            .textPROGBITS0x4001800x1800x11b100x00x6AX0064
            .finiPROGBITS0x411c900x11c900x100x00x6AX004
            .rodataPROGBITS0x411ca00x11ca00x1b1c0x00x2A0016
            .tbssNOBITS0x423f080x13f080x80x00x403WAT004
            .init_arrayINIT_ARRAY0x423f080x13f080x80x80x3WA008
            .fini_arrayFINI_ARRAY0x423f100x13f100x80x80x3WA008
            .gotPROGBITS0x423f180x13f180xd00x80x3WA008
            .dataPROGBITS0x4240000x140000x4280x00x3WA008
            .bssNOBITS0x4244280x144280x7ca80x00x3WA008
            .shstrtabSTRTAB0x00x144280x530x00x0001
            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x4000000x4000000x137bc0x137bc6.55330x5R E0x10000.init .text .fini .rodata
            LOAD0x13f080x423f080x423f080x5200x81c82.81730x6RW 0x10000.tbss .init_array .fini_array .got .data .bss
            TLS0x13f080x423f080x423f080x00x80.00000x4R 0x4.tbss
            GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

            Download Network PCAP: filteredfull

            • Total Packets: 35
            • 40237 undefined
            • 19302 undefined
            • 12016 undefined
            • 5102 undefined
            • 53 (DNS)
            TimestampSource PortDest PortSource IPDest IP
            Mar 16, 2025 02:41:06.022854090 CET4541040237192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:06.027962923 CET4023745410154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:06.028038979 CET4541040237192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:06.585680008 CET4023745410154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:06.585957050 CET4541040237192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:06.672297955 CET4023745410154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:06.672529936 CET4541040237192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:11.011971951 CET4541040237192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:11.017167091 CET4023745410154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:11.177823067 CET4023745410154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:11.178116083 CET4541040237192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:11.185555935 CET4023745410154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:12.179883957 CET3753212016192.168.2.14156.244.14.93
            Mar 16, 2025 02:41:12.184654951 CET1201637532156.244.14.93192.168.2.14
            Mar 16, 2025 02:41:12.184715033 CET3753212016192.168.2.14156.244.14.93
            Mar 16, 2025 02:41:12.750833988 CET1201637532156.244.14.93192.168.2.14
            Mar 16, 2025 02:41:12.751075983 CET3753212016192.168.2.14156.244.14.93
            Mar 16, 2025 02:41:12.839025021 CET1201637532156.244.14.93192.168.2.14
            Mar 16, 2025 02:41:12.839165926 CET3753212016192.168.2.14156.244.14.93
            Mar 16, 2025 02:41:16.101929903 CET3753212016192.168.2.14156.244.14.93
            Mar 16, 2025 02:41:16.108357906 CET1201637532156.244.14.93192.168.2.14
            Mar 16, 2025 02:41:16.268837929 CET1201637532156.244.14.93192.168.2.14
            Mar 16, 2025 02:41:16.269025087 CET3753212016192.168.2.14156.244.14.93
            Mar 16, 2025 02:41:16.274954081 CET1201637532156.244.14.93192.168.2.14
            Mar 16, 2025 02:41:17.270759106 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:17.275856972 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:17.275914907 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:17.828757048 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:17.828850985 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:17.914838076 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:17.914900064 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:22.082627058 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:22.087353945 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:37.097512960 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:37.102185011 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:37.102253914 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:37.106842041 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:42.000853062 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:42.001096964 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:57.015728951 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:57.021089077 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:41:57.021141052 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:41:57.027379036 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:42:15.208174944 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:42:15.213262081 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:42:15.213334084 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:42:15.218684912 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:42:34.601954937 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:42:34.606779099 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:42:34.606842995 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:42:34.612324953 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:42:50.095345020 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:42:50.095556974 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:43:05.110337019 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:43:05.115351915 CET510248750154.205.155.243192.168.2.14
            Mar 16, 2025 02:43:05.115403891 CET487505102192.168.2.14154.205.155.243
            Mar 16, 2025 02:43:05.120095015 CET510248750154.205.155.243192.168.2.14
            TimestampSource PortDest PortSource IPDest IP
            Mar 16, 2025 02:41:07.032466888 CET4687653192.168.2.148.8.8.8
            Mar 16, 2025 02:41:07.041876078 CET53468768.8.8.8192.168.2.14
            Mar 16, 2025 02:41:07.042560101 CET5824719302192.168.2.1474.125.250.129
            Mar 16, 2025 02:41:07.505835056 CET193025824774.125.250.129192.168.2.14
            Mar 16, 2025 02:41:13.181561947 CET5872253192.168.2.148.8.8.8
            Mar 16, 2025 02:41:13.189035892 CET53587228.8.8.8192.168.2.14
            Mar 16, 2025 02:41:13.189249039 CET5925519302192.168.2.1474.125.250.129
            Mar 16, 2025 02:41:13.644614935 CET193025925574.125.250.129192.168.2.14
            Mar 16, 2025 02:41:18.272559881 CET4299053192.168.2.148.8.8.8
            Mar 16, 2025 02:41:18.281044006 CET53429908.8.8.8192.168.2.14
            Mar 16, 2025 02:41:18.281198025 CET4248919302192.168.2.1474.125.250.129
            Mar 16, 2025 02:41:18.739037991 CET193024248974.125.250.129192.168.2.14
            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Mar 16, 2025 02:41:07.032466888 CET192.168.2.148.8.8.80x4b0fStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
            Mar 16, 2025 02:41:13.181561947 CET192.168.2.148.8.8.80x8fa4Standard query (0)stun.l.google.comA (IP address)IN (0x0001)false
            Mar 16, 2025 02:41:18.272559881 CET192.168.2.148.8.8.80xce8fStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Mar 16, 2025 02:41:07.041876078 CET8.8.8.8192.168.2.140x4b0fNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false
            Mar 16, 2025 02:41:13.189035892 CET8.8.8.8192.168.2.140x8fa4No error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false
            Mar 16, 2025 02:41:18.281044006 CET8.8.8.8192.168.2.140xce8fNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

            System Behavior

            Start time (UTC):01:41:05
            Start date (UTC):16/03/2025
            Path:/tmp/aarch64.elf
            Arguments:-
            File size:5706200 bytes
            MD5 hash:02e8e39e1b46472a60d128a6da84a2b8