Edit tour

Linux Analysis Report
sync.x86_64.elf

Overview

General Information

Sample name:sync.x86_64.elf
Analysis ID:1641110
MD5:6d20edf391bf0b003ffc092ada1708f6
SHA1:86d6d9b3dfd74074d0418b3709873b654b280a6c
SHA256:fb9fdc7659b15d75717abf27824805686a4ea93bd1b674705be230080d9c15cd
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:72
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Performs DNS TXT record lookups
Sample deletes itself
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sleeps for long times indicative of sandbox evasion
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1641110
Start date and time:2025-03-18 03:10:01 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sync.x86_64.elf
Detection:MAL
Classification:mal72.evad.linELF@0/0@15/0
Command:/tmp/sync.x86_64.elf
PID:6256
Exit Code:1
Exit Code Info:
Killed:False
Standard Output:
syncne
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
sync.x86_64.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
  • 0x8004:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
sync.x86_64.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
  • 0x87f3:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
sync.x86_64.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
  • 0x60be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
  • 0x9ffc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
sync.x86_64.elfLinux_Trojan_Gafgyt_d996d335unknownunknown
  • 0xadfe:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
sync.x86_64.elfLinux_Trojan_Gafgyt_620087b9unknownunknown
  • 0x83b3:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
Click to see the 1 entries
SourceRuleDescriptionAuthorStrings
6256.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
  • 0x8004:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
6256.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
  • 0x87f3:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
6256.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
  • 0x60be:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
  • 0x9ffc:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
6256.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_d996d335unknownunknown
  • 0xadfe:$a: D0 EB 0F 40 38 37 75 04 48 89 F8 C3 49 FF C8 48 FF C7 4D 85 C0
6256.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_620087b9unknownunknown
  • 0x83b3:$a: 48 89 D8 48 83 C8 01 EB 04 48 8B 76 10 48 3B 46 08 72 F6 48 8B
Click to see the 1 entries
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-18T03:11:04.938830+010020135141A Network Trojan was detected192.168.2.23467438.8.8.853UDP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: sync.x86_64.elfVirustotal: Detection: 44%Perma Link
Source: sync.x86_64.elfReversingLabs: Detection: 41%

Networking

barindex
Source: Network trafficSuricata IDS: 2013514 - Severity 1 - ET MALWARE Potential DNS Command and Control via TXT queries : 192.168.2.23:46743 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.2.23:39472 -> 185.194.205.79:61003
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownDNS traffic detected: query: dnsresolve.socialgains.cf replaycode: Name error (3)
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 185.194.205.79
Source: unknownTCP traffic detected without corresponding DNS query: 185.194.205.79
Source: unknownTCP traffic detected without corresponding DNS query: 185.194.205.79
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 185.194.205.79
Source: unknownTCP traffic detected without corresponding DNS query: 185.194.205.79
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.0.0.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: dnsresolve.socialgains.cf
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: sync.x86_64.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 6256.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: classification engineClassification label: mal72.evad.linELF@0/0@15/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/sync.x86_64.elf (PID: 6256)File: /tmp/sync.x86_64.elfJump to behavior
Source: /tmp/sync.x86_64.elf (PID: 6258)Sleeps longer then 60s: 60.0sJump to behavior
Source: /tmp/sync.x86_64.elf (PID: 6258)Sleeps longer then 60s: 60.0sJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
Source: TrafficDNS traffic detected: queries for: dnsresolve.socialgains.cf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Virtualization/Sandbox Evasion
OS Credential Dumping1
Virtualization/Sandbox Evasion
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
Application Layer Protocol
Traffic DuplicationData Destruction
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641110 Sample: sync.x86_64.elf Startdate: 18/03/2025 Architecture: LINUX Score: 72 15 dnsresolve.socialgains.cf 2->15 17 109.202.202.202, 80 INIT7CH Switzerland 2->17 19 3 other IPs or domains 2->19 21 Suricata IDS alerts for network traffic 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Multi AV Scanner detection for submitted file 2->25 8 sync.x86_64.elf 2->8         started        signatures3 27 Performs DNS TXT record lookups 15->27 process4 signatures5 29 Sample deletes itself 8->29 11 sync.x86_64.elf 8->11         started        process6 process7 13 sync.x86_64.elf 11->13         started       
SourceDetectionScannerLabelLink
sync.x86_64.elf44%VirustotalBrowse
sync.x86_64.elf42%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
dnsresolve.socialgains.cf
unknown
unknownfalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    185.194.205.79
    unknownFrance
    204145HTSENSEFRfalse
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.194.205.79sync.sh4.elfGet hashmaliciousUnknownBrowse
      sync.superh.elfGet hashmaliciousUnknownBrowse
        sync.x86.elfGet hashmaliciousUnknownBrowse
          sync.superh.elfGet hashmaliciousUnknownBrowse
            sync.mipsel.elfGet hashmaliciousUnknownBrowse
              sync.arm5.elfGet hashmaliciousUnknownBrowse
                sync.arm4.elfGet hashmaliciousUnknownBrowse
                  sync.x86_64.elfGet hashmaliciousUnknownBrowse
                    sync.arm4.elfGet hashmaliciousUnknownBrowse
                      sync.sh4.elfGet hashmaliciousUnknownBrowse
                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                        91.189.91.43sync.x86.elfGet hashmaliciousUnknownBrowse
                          sync.mipsel.elfGet hashmaliciousUnknownBrowse
                            sync.arm6.elfGet hashmaliciousUnknownBrowse
                              sync.mips.elfGet hashmaliciousUnknownBrowse
                                gigab.mips.elfGet hashmaliciousUnknownBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            91.189.91.42sync.x86.elfGet hashmaliciousUnknownBrowse
                                              sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                sync.arm6.elfGet hashmaliciousUnknownBrowse
                                                  sync.mips.elfGet hashmaliciousUnknownBrowse
                                                    gigab.mips.elfGet hashmaliciousUnknownBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                No context
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CANONICAL-ASGBsync.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                sync.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 185.125.190.26
                                                                sync.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                gigab.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                CANONICAL-ASGBsync.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                sync.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 185.125.190.26
                                                                sync.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                gigab.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                HTSENSEFRsync.sh4.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.superh.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.superh.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.arm5.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.arm4.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.arm4.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                sync.sh4.elfGet hashmaliciousUnknownBrowse
                                                                • 185.194.205.79
                                                                INIT7CHsync.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                sync.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                sync.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                gigab.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                No context
                                                                No context
                                                                No created / dropped files found
                                                                File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                                                Entropy (8bit):6.290390250530607
                                                                TrID:
                                                                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                File name:sync.x86_64.elf
                                                                File size:55'984 bytes
                                                                MD5:6d20edf391bf0b003ffc092ada1708f6
                                                                SHA1:86d6d9b3dfd74074d0418b3709873b654b280a6c
                                                                SHA256:fb9fdc7659b15d75717abf27824805686a4ea93bd1b674705be230080d9c15cd
                                                                SHA512:f9e926053cc72d7f503f416fc3f8068121cae5d69dff975fd9f30c65b84a9e592bb769948bd7026c05e6cba3e9e0a08a306c79edb047fa0a12e2585ba182a8f1
                                                                SSDEEP:1536:oYxC+UXAtjIQuH/DYivsyuWjb6nkTImWT3:jxC+UXMIZbHvaWjb8wImWT3
                                                                TLSH:9C435C572541D0FCC5A9C2794A5FF166E133B07C1238B62B77E8EE6B2A47D702F2A148
                                                                File Content Preview:.ELF..............>.......@.....@.......0...........@.8...@.......................@.......@...............................................P.......P.....8.......................Q.td....................................................H...._....Z...H........

                                                                ELF header

                                                                Class:ELF64
                                                                Data:2's complement, little endian
                                                                Version:1 (current)
                                                                Machine:Advanced Micro Devices X86-64
                                                                Version Number:0x1
                                                                Type:EXEC (Executable file)
                                                                OS/ABI:UNIX - System V
                                                                ABI Version:0
                                                                Entry Point Address:0x400194
                                                                Flags:0x0
                                                                ELF Header Size:64
                                                                Program Header Offset:64
                                                                Program Header Size:56
                                                                Number of Program Headers:3
                                                                Section Header Offset:55344
                                                                Section Header Size:64
                                                                Number of Section Headers:10
                                                                Header String Table Index:9
                                                                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                NULL0x00x00x00x00x0000
                                                                .initPROGBITS0x4000e80xe80x130x00x6AX001
                                                                .textPROGBITS0x4001000x1000xb1860x00x6AX0016
                                                                .finiPROGBITS0x40b2860xb2860xe0x00x6AX001
                                                                .rodataPROGBITS0x40b2a00xb2a00x20100x00x2A0032
                                                                .ctorsPROGBITS0x50d2b80xd2b80x100x00x3WA008
                                                                .dtorsPROGBITS0x50d2c80xd2c80x100x00x3WA008
                                                                .dataPROGBITS0x50d2e00xd2e00x5100x00x3WA0032
                                                                .bssNOBITS0x50d8000xd7f00xeba80x00x3WA0032
                                                                .shstrtabSTRTAB0x00xd7f00x3e0x00x0001
                                                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                LOAD0x00x4000000x4000000xd2b00xd2b06.37710x5R E0x100000.init .text .fini .rodata
                                                                LOAD0xd2b80x50d2b80x50d2b80x5380xf0f02.87500x6RW 0x100000.ctors .dtors .data .bss
                                                                GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                                                Download Network PCAP: filteredfull

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-03-18T03:11:04.938830+01002013514ET MALWARE Potential DNS Command and Control via TXT queries1192.168.2.23467438.8.8.853UDP
                                                                • Total Packets: 27
                                                                • 61003 undefined
                                                                • 443 (HTTPS)
                                                                • 80 (HTTP)
                                                                • 53 (DNS)
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 18, 2025 03:10:51.538434982 CET43928443192.168.2.2391.189.91.42
                                                                Mar 18, 2025 03:10:56.913578987 CET42836443192.168.2.2391.189.91.43
                                                                Mar 18, 2025 03:10:58.449368954 CET4251680192.168.2.23109.202.202.202
                                                                Mar 18, 2025 03:11:05.967130899 CET3947261003192.168.2.23185.194.205.79
                                                                Mar 18, 2025 03:11:05.972045898 CET6100339472185.194.205.79192.168.2.23
                                                                Mar 18, 2025 03:11:05.972136021 CET3947261003192.168.2.23185.194.205.79
                                                                Mar 18, 2025 03:11:05.972193003 CET3947261003192.168.2.23185.194.205.79
                                                                Mar 18, 2025 03:11:05.976850986 CET6100339472185.194.205.79192.168.2.23
                                                                Mar 18, 2025 03:11:13.039436102 CET43928443192.168.2.2391.189.91.42
                                                                Mar 18, 2025 03:11:23.277934074 CET42836443192.168.2.2391.189.91.43
                                                                Mar 18, 2025 03:11:29.421092033 CET4251680192.168.2.23109.202.202.202
                                                                Mar 18, 2025 03:11:53.993798018 CET43928443192.168.2.2391.189.91.42
                                                                Mar 18, 2025 03:12:06.019021988 CET3947261003192.168.2.23185.194.205.79
                                                                Mar 18, 2025 03:12:06.023752928 CET6100339472185.194.205.79192.168.2.23
                                                                Mar 18, 2025 03:12:06.222471952 CET6100339472185.194.205.79192.168.2.23
                                                                Mar 18, 2025 03:12:06.222588062 CET3947261003192.168.2.23185.194.205.79
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 18, 2025 03:10:49.733297110 CET5605353192.168.2.231.1.1.1
                                                                Mar 18, 2025 03:10:49.757920027 CET53560531.1.1.1192.168.2.23
                                                                Mar 18, 2025 03:10:50.760077000 CET5531153192.168.2.231.0.0.1
                                                                Mar 18, 2025 03:10:50.879028082 CET53553111.0.0.1192.168.2.23
                                                                Mar 18, 2025 03:10:51.881104946 CET4805153192.168.2.231.0.0.1
                                                                Mar 18, 2025 03:10:52.017631054 CET53480511.0.0.1192.168.2.23
                                                                Mar 18, 2025 03:10:53.019819021 CET4486453192.168.2.231.1.1.1
                                                                Mar 18, 2025 03:10:53.145407915 CET53448641.1.1.1192.168.2.23
                                                                Mar 18, 2025 03:10:54.147566080 CET5106753192.168.2.231.1.1.1
                                                                Mar 18, 2025 03:10:54.337634087 CET53510671.1.1.1192.168.2.23
                                                                Mar 18, 2025 03:10:55.339767933 CET3838453192.168.2.231.1.1.1
                                                                Mar 18, 2025 03:10:55.459651947 CET53383841.1.1.1192.168.2.23
                                                                Mar 18, 2025 03:10:56.461705923 CET5087753192.168.2.231.0.0.1
                                                                Mar 18, 2025 03:10:56.486341000 CET53508771.0.0.1192.168.2.23
                                                                Mar 18, 2025 03:10:57.488291979 CET5947553192.168.2.231.0.0.1
                                                                Mar 18, 2025 03:10:57.673618078 CET53594751.0.0.1192.168.2.23
                                                                Mar 18, 2025 03:10:58.675499916 CET4620953192.168.2.238.8.4.4
                                                                Mar 18, 2025 03:10:58.703572989 CET53462098.8.4.4192.168.2.23
                                                                Mar 18, 2025 03:10:59.705576897 CET5267953192.168.2.231.1.1.1
                                                                Mar 18, 2025 03:10:59.843813896 CET53526791.1.1.1192.168.2.23
                                                                Mar 18, 2025 03:11:00.846321106 CET5265153192.168.2.238.8.8.8
                                                                Mar 18, 2025 03:11:00.862832069 CET53526518.8.8.8192.168.2.23
                                                                Mar 18, 2025 03:11:01.865541935 CET4680753192.168.2.231.0.0.1
                                                                Mar 18, 2025 03:11:01.891017914 CET53468071.0.0.1192.168.2.23
                                                                Mar 18, 2025 03:11:02.893122911 CET3861553192.168.2.238.8.4.4
                                                                Mar 18, 2025 03:11:02.908725977 CET53386158.8.4.4192.168.2.23
                                                                Mar 18, 2025 03:11:03.911286116 CET4727353192.168.2.231.1.1.1
                                                                Mar 18, 2025 03:11:03.935933113 CET53472731.1.1.1192.168.2.23
                                                                Mar 18, 2025 03:11:04.938829899 CET4674353192.168.2.238.8.8.8
                                                                Mar 18, 2025 03:11:04.964786053 CET53467438.8.8.8192.168.2.23
                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Mar 18, 2025 03:10:49.733297110 CET192.168.2.231.1.1.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:50.760077000 CET192.168.2.231.0.0.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:51.881104946 CET192.168.2.231.0.0.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:53.019819021 CET192.168.2.231.1.1.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:54.147566080 CET192.168.2.231.1.1.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:55.339767933 CET192.168.2.231.1.1.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:56.461705923 CET192.168.2.231.0.0.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:57.488291979 CET192.168.2.231.0.0.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:58.675499916 CET192.168.2.238.8.4.40xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:10:59.705576897 CET192.168.2.231.1.1.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:11:00.846321106 CET192.168.2.238.8.8.80xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:11:01.865541935 CET192.168.2.231.0.0.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:11:02.893122911 CET192.168.2.238.8.4.40xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:11:03.911286116 CET192.168.2.231.1.1.10xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                Mar 18, 2025 03:11:04.938829899 CET192.168.2.238.8.8.80xc4b1Standard query (0)dnsresolve.socialgains.cf16IN (0x0001)false
                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Mar 18, 2025 03:10:49.757920027 CET1.1.1.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:50.879028082 CET1.0.0.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:52.017631054 CET1.0.0.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:53.145407915 CET1.1.1.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:54.337634087 CET1.1.1.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:55.459651947 CET1.1.1.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:56.486341000 CET1.0.0.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:57.673618078 CET1.0.0.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:58.703572989 CET8.8.4.4192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:10:59.843813896 CET1.1.1.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:11:00.862832069 CET8.8.8.8192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:11:01.891017914 CET1.0.0.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:11:02.908725977 CET8.8.4.4192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:11:03.935933113 CET1.1.1.1192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false
                                                                Mar 18, 2025 03:11:04.964786053 CET8.8.8.8192.168.2.230xc4b1Name error (3)dnsresolve.socialgains.cfnonenone16IN (0x0001)false

                                                                System Behavior

                                                                Start time (UTC):02:10:49
                                                                Start date (UTC):18/03/2025
                                                                Path:/tmp/sync.x86_64.elf
                                                                Arguments:/tmp/sync.x86_64.elf
                                                                File size:55984 bytes
                                                                MD5 hash:6d20edf391bf0b003ffc092ada1708f6

                                                                Start time (UTC):02:10:49
                                                                Start date (UTC):18/03/2025
                                                                Path:/tmp/sync.x86_64.elf
                                                                Arguments:-
                                                                File size:55984 bytes
                                                                MD5 hash:6d20edf391bf0b003ffc092ada1708f6

                                                                Start time (UTC):02:10:49
                                                                Start date (UTC):18/03/2025
                                                                Path:/tmp/sync.x86_64.elf
                                                                Arguments:-
                                                                File size:55984 bytes
                                                                MD5 hash:6d20edf391bf0b003ffc092ada1708f6