Edit tour

Linux Analysis Report
m-6.8-k.Sakura.elf

Overview

General Information

Sample name:m-6.8-k.Sakura.elf
Analysis ID:1641238
MD5:e0b40cf058c3a27e20c605918848882d
SHA1:b7ca7048ae8d3e136a1cdc351822b79492071e04
SHA256:b3f8e9436b1411ddb610781065b9a188297ad45e1eab3c092a68f8f8886e0a21
Tags:user-elfdigest
Infos:

Detection

Gafgyt, Mirai
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Gafgyt
Yara detected Mirai
Opens /proc/net/* files useful for finding connected devices and routers
Detected TCP or UDP traffic on non-standard ports
Sample contains strings that are user agent strings indicative of HTTP manipulation
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1641238
Start date and time:2025-03-18 04:39:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 3s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:m-6.8-k.Sakura.elf
Detection:MAL
Classification:mal100.spre.troj.linELF@0/0@0/0
  • VT rate limit hit for: 103.77.246.204:55555
Command:/tmp/m-6.8-k.Sakura.elf
PID:6295
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
m-6.8-k.Sakura.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    m-6.8-k.Sakura.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      m-6.8-k.Sakura.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x15a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15acc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      SourceRuleDescriptionAuthorStrings
      6295.1.00007fb550017000.00007fb55002f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        6295.1.00007fb550017000.00007fb55002f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0x15a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15acc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x15c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        6297.1.00007fb550017000.00007fb55002f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6297.1.00007fb550017000.00007fb55002f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x15a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15acc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ae0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15af4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15b94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ba8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15bbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15bd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15be4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15bf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15c0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          Process Memory Space: m-6.8-k.Sakura.elf PID: 6295JoeSecurity_Mirai_8Yara detected MiraiJoe Security
            Click to see the 3 entries
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-18T04:39:54.499413+010028465261A Network Trojan was detected192.168.2.2349922103.77.246.20455555TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: m-6.8-k.Sakura.elfAvira: detected
            Source: m-6.8-k.Sakura.elfMalware Configuration Extractor: Gafgyt {"C2 url": "103.77.246.204:55555"}
            Source: m-6.8-k.Sakura.elfVirustotal: Detection: 65%Perma Link
            Source: m-6.8-k.Sakura.elfReversingLabs: Detection: 63%

            Spreading

            barindex
            Source: /tmp/m-6.8-k.Sakura.elf (PID: 6295)Opens: /proc/net/routeJump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2846526 - Severity 1 - ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin : 192.168.2.23:49922 -> 103.77.246.204:55555
            Source: global trafficTCP traffic: 192.168.2.23:49922 -> 103.77.246.204:55555
            Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
            Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
            Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
            Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
            Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownTCP traffic detected without corresponding DNS query: 103.77.246.204
            Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

            System Summary

            barindex
            Source: m-6.8-k.Sakura.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 6295.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 6297.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6295, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6297, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: m-6.8-k.Sakura.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 6295.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 6297.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6295, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6297, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: classification engineClassification label: mal100.spre.troj.linELF@0/0@0/0
            Source: /tmp/m-6.8-k.Sakura.elf (PID: 6295)Queries kernel information via 'uname': Jump to behavior
            Source: m-6.8-k.Sakura.elf, 6295.1.00007ffedb217000.00007ffedb238000.rw-.sdmp, m-6.8-k.Sakura.elf, 6297.1.00007ffedb217000.00007ffedb238000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/m-6.8-k.Sakura.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m-6.8-k.Sakura.elf
            Source: m-6.8-k.Sakura.elf, 6295.1.0000561e1b936000.0000561e1ba64000.rw-.sdmp, m-6.8-k.Sakura.elf, 6297.1.0000561e1b936000.0000561e1ba64000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: m-6.8-k.Sakura.elf, 6295.1.00007ffedb217000.00007ffedb238000.rw-.sdmp, m-6.8-k.Sakura.elf, 6297.1.00007ffedb217000.00007ffedb238000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: m-6.8-k.Sakura.elf, 6295.1.0000561e1b936000.0000561e1ba64000.rw-.sdmp, m-6.8-k.Sakura.elf, 6297.1.0000561e1b936000.0000561e1ba64000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/arm

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: m-6.8-k.Sakura.elf, type: SAMPLE
            Source: Yara matchFile source: m-6.8-k.Sakura.elf, type: SAMPLE
            Source: Yara matchFile source: 6295.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 6297.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6295, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6297, type: MEMORYSTR
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: m-6.8-k.Sakura.elf, type: SAMPLE
            Source: Yara matchFile source: m-6.8-k.Sakura.elf, type: SAMPLE
            Source: Yara matchFile source: 6295.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 6297.1.00007fb550017000.00007fb55002f000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6295, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: m-6.8-k.Sakura.elf PID: 6297, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Data Obfuscation
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
            Remote System Discovery
            Remote Desktop ProtocolData from Removable Media1
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Application Layer Protocol
            Traffic DuplicationData Destruction
            {
              "C2 url": "103.77.246.204:55555"
            }
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1641238 Sample: m-6.8-k.Sakura.elf Startdate: 18/03/2025 Architecture: LINUX Score: 100 15 103.77.246.204, 49922, 55555 X4B-AS-APX4BDDoSProtectedAnnouncementsAU India 2->15 17 109.202.202.202, 80 INIT7CH Switzerland 2->17 19 2 other IPs or domains 2->19 21 Suricata IDS alerts for network traffic 2->21 23 Found malware configuration 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 4 other signatures 2->27 8 m-6.8-k.Sakura.elf 2->8         started        signatures3 process4 signatures5 29 Opens /proc/net/* files useful for finding connected devices and routers 8->29 11 m-6.8-k.Sakura.elf 8->11         started        process6 process7 13 m-6.8-k.Sakura.elf 11->13         started       
            SourceDetectionScannerLabelLink
            m-6.8-k.Sakura.elf66%VirustotalBrowse
            m-6.8-k.Sakura.elf64%ReversingLabsLinux.Trojan.Gafgyt
            m-6.8-k.Sakura.elf100%AviraLINUX/Gafgyt.opnd
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            No contacted domains info
            NameMaliciousAntivirus DetectionReputation
            103.77.246.204:55555true
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              109.202.202.202
              unknownSwitzerland
              13030INIT7CHfalse
              103.77.246.204
              unknownIndia
              136165X4B-AS-APX4BDDoSProtectedAnnouncementsAUtrue
              91.189.91.43
              unknownUnited Kingdom
              41231CANONICAL-ASGBfalse
              91.189.91.42
              unknownUnited Kingdom
              41231CANONICAL-ASGBfalse
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
              • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
              91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
                main_arm7.elfGet hashmaliciousMiraiBrowse
                  EdiAf.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      EdiAf.mips.elfGet hashmaliciousUnknownBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          hgfs.arm6.elfGet hashmaliciousUnknownBrowse
                            kaizen.sh4.elfGet hashmaliciousMiraiBrowse
                              boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                boatnet.arc.elfGet hashmaliciousMiraiBrowse
                                  91.189.91.42na.elfGet hashmaliciousPrometeiBrowse
                                    main_arm7.elfGet hashmaliciousMiraiBrowse
                                      EdiAf.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          EdiAf.mips.elfGet hashmaliciousUnknownBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    hgfs.arm6.elfGet hashmaliciousUnknownBrowse
                                                      No context
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      main_arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      EdiAf.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      EdiAf.mips.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 185.125.190.26
                                                      CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      main_arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 91.189.91.42
                                                      EdiAf.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      EdiAf.mips.elfGet hashmaliciousUnknownBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 91.189.91.42
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 185.125.190.26
                                                      X4B-AS-APX4BDDoSProtectedAnnouncementsAUsmbhost.exeGet hashmaliciousXmrigBrowse
                                                      • 103.249.70.7
                                                      http://ff.members.gerane.vn/Get hashmaliciousUnknownBrowse
                                                      • 103.77.241.200
                                                      Address_verification_form_awb_shipping_documents_Invoice_Billof lading000000000000000000000.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 103.77.246.15
                                                      Tracking_Invoice_Awb_BL_00340434757340073972.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 103.77.246.15
                                                      Invoice_Awb_BL_238415455_01408202_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 103.77.246.15
                                                      7PY33AaMqH.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 103.77.246.53
                                                      aFPlFda1sB.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                      • 103.77.246.53
                                                      leKBCSdWnE.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                      • 103.77.246.53
                                                      fHaEG1nZHb.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 103.77.246.53
                                                      fSRhZKnZEu.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                      • 103.77.246.53
                                                      INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                                      • 109.202.202.202
                                                      main_arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 109.202.202.202
                                                      EdiAf.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 109.202.202.202
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 109.202.202.202
                                                      EdiAf.mips.elfGet hashmaliciousUnknownBrowse
                                                      • 109.202.202.202
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 109.202.202.202
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 109.202.202.202
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 109.202.202.202
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                      • 109.202.202.202
                                                      hgfs.arm6.elfGet hashmaliciousUnknownBrowse
                                                      • 109.202.202.202
                                                      No context
                                                      No context
                                                      No created / dropped files found
                                                      File type:
                                                      Entropy (8bit):6.007119522948548
                                                      TrID:
                                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                      File name:m-6.8-k.Sakura.elf
                                                      File size:159'896 bytes
                                                      MD5:e0b40cf058c3a27e20c605918848882d
                                                      SHA1:b7ca7048ae8d3e136a1cdc351822b79492071e04
                                                      SHA256:b3f8e9436b1411ddb610781065b9a188297ad45e1eab3c092a68f8f8886e0a21
                                                      SHA512:335db6720a0b394522824ab1826c04955321f932fa7f4d5cba3d1b049fa801067346a39f7f43bfb9308905b92995b2f04d6f10dc7daf230b6b87b6d10afb5b35
                                                      SSDEEP:3072:f1g2iIFdVzqKA7Y6ISag0/RMqnyLRM/9lzNmFwfBxKQodn:tg2VFdVzBA7fISan2qnydM/9/mFwfBxE
                                                      TLSH:76F33A05E6408B17C1E2277AE6CF824D33339B94A3DB33159938ABF43FC27995E26915
                                                      File Content Preview:.ELF..............(.........4...p.......4. ...(........p.z.......... ... ............................{...{...............{...{...{......(t...............{...{...{..................Q.td..................................-...L..................G.F.G.F.G.F.G.

                                                      Download Network PCAP: filteredfull

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-03-18T04:39:54.499413+01002846526ETPRO MALWARE ELF/BASHLITE Variant CnC Checkin1192.168.2.2349922103.77.246.20455555TCP
                                                      • Total Packets: 18
                                                      • 55555 undefined
                                                      • 443 (HTTPS)
                                                      • 80 (HTTP)
                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Mar 18, 2025 04:39:54.493174076 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:39:54.497972965 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:39:54.498029947 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:39:54.499413013 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:39:54.504044056 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:39:54.924364090 CET43928443192.168.2.2391.189.91.42
                                                      Mar 18, 2025 04:40:00.555541992 CET42836443192.168.2.2391.189.91.43
                                                      Mar 18, 2025 04:40:01.835392952 CET4251680192.168.2.23109.202.202.202
                                                      Mar 18, 2025 04:40:10.350367069 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:40:10.350532055 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:40:10.631808043 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:40:10.631916046 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:40:16.425432920 CET43928443192.168.2.2391.189.91.42
                                                      Mar 18, 2025 04:40:26.663887978 CET42836443192.168.2.2391.189.91.43
                                                      Mar 18, 2025 04:40:32.807148933 CET4251680192.168.2.23109.202.202.202
                                                      Mar 18, 2025 04:40:57.379688025 CET43928443192.168.2.2391.189.91.42
                                                      Mar 18, 2025 04:41:10.353185892 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:41:10.353271961 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:41:10.633197069 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:41:10.633359909 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:42:10.359002113 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:42:10.359194040 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:42:10.649503946 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:42:10.649626970 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:43:10.362169027 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:43:10.362287045 CET4992255555192.168.2.23103.77.246.204
                                                      Mar 18, 2025 04:43:10.650978088 CET5555549922103.77.246.204192.168.2.23
                                                      Mar 18, 2025 04:43:10.651108980 CET4992255555192.168.2.23103.77.246.204

                                                      System Behavior

                                                      Start time (UTC):03:39:52
                                                      Start date (UTC):18/03/2025
                                                      Path:/tmp/m-6.8-k.Sakura.elf
                                                      Arguments:/tmp/m-6.8-k.Sakura.elf
                                                      File size:4956856 bytes
                                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                      Start time (UTC):03:39:53
                                                      Start date (UTC):18/03/2025
                                                      Path:/tmp/m-6.8-k.Sakura.elf
                                                      Arguments:-
                                                      File size:4956856 bytes
                                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                      Start time (UTC):03:39:53
                                                      Start date (UTC):18/03/2025
                                                      Path:/tmp/m-6.8-k.Sakura.elf
                                                      Arguments:-
                                                      File size:4956856 bytes
                                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1