Edit tour

Linux Analysis Report
arm7.elf

Overview

General Information

Sample name:arm7.elf
Analysis ID:1639687
MD5:635b6388d86af61017e8f3e83431b6e7
SHA1:1822953a69b69730a75b3aaacb36f3c711c40b20
SHA256:fccdde510e6dce01530d73df68fb3d976853905f5f1b5226d103b557ccebd089
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1639687
Start date and time:2025-03-16 02:45:14 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm7.elf
Detection:MAL
Classification:mal56.troj.linELF@0/2@1/0
Command:/tmp/arm7.elf
PID:5561
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm7.elf (PID: 5561, Parent: 5487, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm7.elf
    • arm7.elf New Fork (PID: 5565, Parent: 5561)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm7.elfVirustotal: Detection: 14%Perma Link

Networking

barindex
Source: global trafficTCP traffic: 154.205.155.97 ports 56190,0,1,5,6,9
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.15:48688 -> 154.205.155.97:56190
Source: global trafficUDP traffic: 192.168.2.15:55801 -> 74.125.250.129:19302
Source: /tmp/arm7.elf (PID: 5565)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.155.97
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: arm7.elf, 5561.1.00007fcf70037000.00007fcf70041000.rw-.sdmpString found in binary or memory: http://17365637265742070617373776F7264206D656D6F721/t/wget.sh
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal56.troj.linELF@0/2@1/0
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1333/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1695/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/911/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/5397/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1591/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1585/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/804/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3407/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1484/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/131/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/133/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1479/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/378/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/931/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1595/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/812/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/933/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3897/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/30/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3419/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/35/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3310/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/260/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/261/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/262/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/142/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/263/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/264/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/265/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/145/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/266/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/267/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/268/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3303/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/269/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1486/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/1806/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)File opened: /proc/3440/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5561)Queries kernel information via 'uname': Jump to behavior
Source: arm7.elf, 5561.1.00007fff7c6e2000.00007fff7c703000.rw-.sdmpBinary or memory string: V/tmp/qemu-open.6Fg0XH:
Source: arm7.elf, 5561.1.00007fcf70037000.00007fcf70041000.rw-.sdmpBinary or memory string: vmwarem
Source: arm7.elf, 5561.1.00007fcf70037000.00007fcf70041000.rw-.sdmpBinary or memory string: vmware
Source: arm7.elf, 5561.1.00007fcf70037000.00007fcf70041000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm7.elf, 5561.1.00007fff7c6e2000.00007fff7c703000.rw-.sdmpBinary or memory string: /tmp/qemu-open.6Fg0XH
Source: arm7.elf, 5561.1.00007fcf70037000.00007fcf70041000.rw-.sdmpBinary or memory string: qemu-arm)Zm6vnZ5U4mf8vApyWcDwXR44ZAkzslsN)(
Source: arm7.elf, 5561.1.000056191e0df000.000056191e22e000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 5561.1.000056191e0df000.000056191e22e000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/arm
Source: arm7.elf, 5561.1.00007fff7c6e2000.00007fff7c703000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 5561.1.00007fff7c6e2000.00007fff7c703000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639687 Sample: arm7.elf Startdate: 16/03/2025 Architecture: LINUX Score: 56 11 stun.l.google.com 2->11 13 154.205.155.97, 48688, 56190 IKGUL-26484US Seychelles 2->13 15 stun.l.google.com 74.125.250.129, 19302, 55801 GOOGLEUS United States 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Connects to many ports of the same IP (likely port scanning) 2->19 7 arm7.elf 2->7         started        signatures3 21 Uses STUN server to do NAT traversial 11->21 process4 process5 9 arm7.elf 7->9         started       
SourceDetectionScannerLabelLink
arm7.elf14%VirustotalBrowse
arm7.elf11%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    http://17365637265742070617373776F7264206D656D6F721/t/wget.sharm7.elf, 5561.1.00007fcf70037000.00007fcf70041000.rw-.sdmpfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      154.205.155.97
      unknownSeychelles
      26484IKGUL-26484UStrue
      74.125.250.129
      stun.l.google.comUnited States
      15169GOOGLEUSfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      154.205.155.97arm6.elfGet hashmaliciousUnknownBrowse
        nimips.elfGet hashmaliciousUnknownBrowse
          mips.elfGet hashmaliciousUnknownBrowse
            arm.elfGet hashmaliciousUnknownBrowse
              mpsl.elfGet hashmaliciousUnknownBrowse
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                IKGUL-26484USaarch64.elfGet hashmaliciousUnknownBrowse
                • 154.205.155.243
                arm6.elfGet hashmaliciousUnknownBrowse
                • 154.205.155.97
                KKveTTgaAAsecNNaaaa.i686.elfGet hashmaliciousUnknownBrowse
                • 156.235.27.101
                nimips.elfGet hashmaliciousUnknownBrowse
                • 154.205.155.97
                resgod.m68k.elfGet hashmaliciousMiraiBrowse
                • 156.249.231.151
                resgod.arm5.elfGet hashmaliciousMiraiBrowse
                • 156.249.231.183
                mips.elfGet hashmaliciousUnknownBrowse
                • 154.205.155.97
                arm.elfGet hashmaliciousUnknownBrowse
                • 154.205.155.97
                aarch64.elfGet hashmaliciousUnknownBrowse
                • 154.205.157.159
                mpsl.elfGet hashmaliciousUnknownBrowse
                • 154.205.155.97
                No context
                No context
                Process:/tmp/arm7.elf
                File Type:data
                Category:dropped
                Size (bytes):14
                Entropy (8bit):3.521640636343319
                Encrypted:false
                SSDEEP:3:TgiLG:TgiC
                MD5:451AC90F7FA61D0393D6A5A02158D369
                SHA1:5A7D458802462B80F94A9CDA24E2C877437A8E34
                SHA-256:E2D543300D643CEF7698E750F74E8499993E346EF765FA2061EB5DFAF8D77E48
                SHA-512:EF1D000F5B8BB5AFD4F6CB347FBE0FA0E97608B8C3839B6B44CB9828E5522396B334AE37148FCD2064A423B3DDD0C8874EF7019023A84B36E3893E50353F06FE
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:/tmp/arm7.elf.
                Process:/tmp/arm7.elf
                File Type:data
                Category:dropped
                Size (bytes):14
                Entropy (8bit):3.521640636343319
                Encrypted:false
                SSDEEP:3:TgiLG:TgiC
                MD5:451AC90F7FA61D0393D6A5A02158D369
                SHA1:5A7D458802462B80F94A9CDA24E2C877437A8E34
                SHA-256:E2D543300D643CEF7698E750F74E8499993E346EF765FA2061EB5DFAF8D77E48
                SHA-512:EF1D000F5B8BB5AFD4F6CB347FBE0FA0E97608B8C3839B6B44CB9828E5522396B334AE37148FCD2064A423B3DDD0C8874EF7019023A84B36E3893E50353F06FE
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:/tmp/arm7.elf.
                File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                Entropy (8bit):6.10373359894316
                TrID:
                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                File name:arm7.elf
                File size:95'976 bytes
                MD5:635b6388d86af61017e8f3e83431b6e7
                SHA1:1822953a69b69730a75b3aaacb36f3c711c40b20
                SHA256:fccdde510e6dce01530d73df68fb3d976853905f5f1b5226d103b557ccebd089
                SHA512:1c4cf3d61a1182f094dadbb120d19ed03919b7fa029f64d7830a3478a0f95a887dc41c539c0448793c50b4a120f38ee6df256aa2892a1b7cd0648d138a1fb1c2
                SSDEEP:1536:XXnnb3iCvbY7t0XXs68ojlDzrF26SyyzYp2taPvcemTqDtU2ylIOiCayPv0/V5w:Hu4bY7t0nXzR4s2ta3cemTqLSayn0t5w
                TLSH:4F93184AF9819F15D4D512BAFE4E528A33632BACE3EE3202DD245B2137CE55B0E77412
                File Content Preview:.ELF..............(.........4....t......4. ...(........p.o...........................................p...p...............p...p...p..4....r...............p...p...p..................Q.td..................................-...L..................@-.,@...0....S

                ELF header

                Class:ELF32
                Data:2's complement, little endian
                Version:1 (current)
                Machine:ARM
                Version Number:0x1
                Type:EXEC (Executable file)
                OS/ABI:UNIX - System V
                ABI Version:0
                Entry Point Address:0x8194
                Flags:0x4000002
                ELF Header Size:52
                Program Header Offset:52
                Program Header Size:32
                Number of Program Headers:5
                Section Header Offset:95376
                Section Header Size:40
                Number of Section Headers:15
                Header String Table Index:14
                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                NULL0x00x00x00x00x0000
                .initPROGBITS0x80d40xd40x100x00x6AX004
                .textPROGBITS0x80f00xf00x155700x00x6AX0016
                .finiPROGBITS0x1d6600x156600x100x00x6AX004
                .rodataPROGBITS0x1d6700x156700x19480x00x2A008
                .ARM.extabPROGBITS0x1efb80x16fb80x180x00x2A004
                .ARM.exidxARM_EXIDX0x1efd00x16fd00x1180x00x82AL204
                .eh_framePROGBITS0x270e80x170e80x40x00x3WA004
                .tbssNOBITS0x270ec0x170ec0x80x00x403WAT004
                .init_arrayINIT_ARRAY0x270ec0x170ec0x40x00x3WA004
                .fini_arrayFINI_ARRAY0x270f00x170f00x40x00x3WA004
                .gotPROGBITS0x270f80x170f80xa80x40x3WA004
                .dataPROGBITS0x271a00x171a00x27c0x00x3WA004
                .bssNOBITS0x2741c0x1741c0x6f640x00x3WA004
                .shstrtabSTRTAB0x00x1741c0x730x00x0001
                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                EXIDX0x16fd00x1efd00x1efd00x1180x1184.44420x4R 0x4.ARM.exidx
                LOAD0x00x80000x80000x170e80x170e86.12070x5R E0x8000.init .text .fini .rodata .ARM.extab .ARM.exidx
                LOAD0x170e80x270e80x270e80x3340x72984.15860x6RW 0x8000.eh_frame .tbss .init_array .fini_array .got .data .bss
                TLS0x170ec0x270ec0x270ec0x00x80.00000x4R 0x4.tbss
                GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                Download Network PCAP: filteredfull

                • Total Packets: 19
                • 56190 undefined
                • 19302 undefined
                • 53 (DNS)
                TimestampSource PortDest PortSource IPDest IP
                Mar 16, 2025 02:46:11.199229956 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:11.204056025 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:46:11.204803944 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:11.868410110 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:46:11.868556023 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:11.986828089 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:46:11.993731022 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:15.796546936 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:15.801707983 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:46:29.402232885 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:46:29.402451038 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:44.418147087 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:44.422875881 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:46:44.422944069 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:46:44.427603960 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:04.435152054 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:47:04.439914942 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:04.439981937 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:47:04.444626093 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:24.364598989 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:47:24.369440079 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:24.369488955 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:47:24.374639034 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:44.366920948 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:47:44.371634007 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:44.371689081 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:47:44.376291990 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:58.483778000 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:47:58.484080076 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:48:13.494574070 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:48:13.499385118 CET5619048688154.205.155.97192.168.2.15
                Mar 16, 2025 02:48:13.499460936 CET4868856190192.168.2.15154.205.155.97
                Mar 16, 2025 02:48:13.504121065 CET5619048688154.205.155.97192.168.2.15
                TimestampSource PortDest PortSource IPDest IP
                Mar 16, 2025 02:46:12.208096981 CET3812453192.168.2.158.8.8.8
                Mar 16, 2025 02:46:12.226238012 CET53381248.8.8.8192.168.2.15
                Mar 16, 2025 02:46:12.226953983 CET5580119302192.168.2.1574.125.250.129
                Mar 16, 2025 02:46:12.850130081 CET193025580174.125.250.129192.168.2.15
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 16, 2025 02:46:12.208096981 CET192.168.2.158.8.8.80x2da2Standard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 16, 2025 02:46:12.226238012 CET8.8.8.8192.168.2.150x2da2No error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                System Behavior

                Start time (UTC):01:46:10
                Start date (UTC):16/03/2025
                Path:/tmp/arm7.elf
                Arguments:-
                File size:4956856 bytes
                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1