Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
aarch64.elf

Overview

General Information

Sample name:aarch64.elf
Analysis ID:1642488
MD5:272651b8ad5ac62492d655eeb5261109
SHA1:72699dd6149dd52f2f15dca311654e1d05da30b2
SHA256:8c3beeb8199598c4c9bcd92fd9c8359c0b252e002c09cd2435d5d69929b047bc
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1642488
Start date and time:2025-03-19 04:14:34 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:aarch64.elf
Detection:MAL
Classification:mal52.troj.linELF@0/3@2/0

Runtime Messages

Command:/tmp/aarch64.elf
PID:5810
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:

Process Tree

  • system is lnxubuntu20
  • aarch64.elf (PID: 5810, Parent: 5736, MD5: 02e8e39e1b46472a60d128a6da84a2b8) Arguments: /tmp/aarch64.elf
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: aarch64.elfVirustotal: Detection: 14%Perma Link
Source: aarch64.elfReversingLabs: Detection: 26%
Source: /tmp/aarch64.elf (PID: 5815)Socket: 127.0.0.1:22448Jump to behavior
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: /tmp/aarch64.elf (PID: 5810)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)SIGKILL sent: pid: 1432, result: successfulJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)SIGKILL sent: pid: 3047, result: successfulJump to behavior
Source: classification engineClassification label: mal52.troj.linELF@0/3@2/0

Persistence and Installation Behavior

barindex
Source: /tmp/aarch64.elf (PID: 5810)File: /proc/5810/mountsJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1333/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1695/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/911/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1591/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1/mapsJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1585/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/804/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3407/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1484/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/131/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/133/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1479/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/378/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/931/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1595/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/812/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/933/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3895/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/30/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3419/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/35/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3310/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/260/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/261/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/262/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/142/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/263/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/264/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/265/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/145/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/266/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/267/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/268/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3303/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/269/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1486/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/1806/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)File opened: /proc/3440/cmdlineJump to behavior
Source: /tmp/aarch64.elf (PID: 5810)Queries kernel information via 'uname': Jump to behavior
Source: aarch64.elf, 5810.1.00005590314b8000.00005590315a3000.rw-.sdmp, aarch64.elf, 5815.1.00005590314b8000.00005590315a3000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/aarch64
Source: aarch64.elf, 5815.1.0000000000427000.0000000000436000.rw-.sdmpBinary or memory string: vmware
Source: aarch64.elf, 5810.1.0000000000427000.0000000000436000.rw-.sdmp, aarch64.elf, 5815.1.0000000000427000.0000000000436000.rw-.sdmpBinary or memory string: qemu-arm
Source: aarch64.elf, 5810.1.00005590314b8000.00005590315a3000.rw-.sdmp, aarch64.elf, 5815.1.00005590314b8000.00005590315a3000.rw-.sdmpBinary or memory string: U1/etc/qemu-binfmt/aarch64O
Source: aarch64.elf, 5810.1.00007fff9e10d000.00007fff9e12e000.rw-.sdmp, aarch64.elf, 5815.1.00007fff9e10d000.00007fff9e12e000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-aarch64/tmp/aarch64.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/aarch64.elf
Source: aarch64.elf, 5815.1.00007fff9e10d000.00007fff9e12e000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: aarch64.elf, 5815.1.0000000000427000.0000000000436000.rw-.sdmpBinary or memory string: BWcDwXR44ZAkzslsN0 a1gCWFxqAHsFWFMWT3YA!a1gAWFxuAXsFWUgBRQAA!a1gAWFxuAXsAWUgKRXgA!a1gAWFxuAXsAWEgJR3IA!a10CWFxuAHsGWVcWQHAA!a10CWFxuAHsGWVcWQHUA!aFwAWF9uA3sGW0gLRgAA!aFwAWFlpG2QBW0gJTwAA!qemu-arm2QBW0gJTwAA!vmware!/bin/bash!/bin/dash!/bin/shh!/proc/mounts!a1oFWFxqDXsGXFQWRHFF!a1kBWF9pAHsAXUgMHFF!bFsYR15pG2cEXEgJT3cA!a1sOWFxpAHsFXFcWQXMA!a1kBWF9pAHsAXUgMXMA
Source: aarch64.elf, 5810.1.00007fff9e10d000.00007fff9e12e000.rw-.sdmp, aarch64.elf, 5815.1.00007fff9e10d000.00007fff9e12e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-aarch64

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1642488 Sample: aarch64.elf Startdate: 19/03/2025 Architecture: LINUX Score: 52 12 daisy.ubuntu.com 2->12 14 Multi AV Scanner detection for submitted file 2->14 7 aarch64.elf 2->7         started        signatures3 process4 signatures5 16 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->16 10 aarch64.elf 7->10         started        process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
aarch64.elf14%VirustotalBrowse
aarch64.elf26%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comFederalarm5Agent.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    arm.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    FederalarmAgent.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    arm5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    arm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    sh4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    Federalx86Agent.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    FederalmpslAgent.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    Process:/tmp/aarch64.elf
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):17
    Entropy (8bit):3.8521687236032816
    Encrypted:false
    SSDEEP:3:Tg80l:Tg8c
    MD5:6EA4D0DB8D845A86C7B09CF0667A2CB5
    SHA1:CE980AAA61B3974BA1C86B48D56CAA6A2BE3E9A1
    SHA-256:9AA96AD31F9C5CB1D9FAA1939C33156D29F6EB7FF422C58541452493FEA19ECD
    SHA-512:A43E0EF92BDE7860BB256540693113AE6594F12017132F7408425FC03074FFE05121C4320FD6126F66802528583AB7A54D3FABBA3E70EB1D9DABFA816EBAFFD9
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/aarch64.elf.
    Process:/tmp/aarch64.elf
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):17
    Entropy (8bit):3.8521687236032816
    Encrypted:false
    SSDEEP:3:Tg80l:Tg8c
    MD5:6EA4D0DB8D845A86C7B09CF0667A2CB5
    SHA1:CE980AAA61B3974BA1C86B48D56CAA6A2BE3E9A1
    SHA-256:9AA96AD31F9C5CB1D9FAA1939C33156D29F6EB7FF422C58541452493FEA19ECD
    SHA-512:A43E0EF92BDE7860BB256540693113AE6594F12017132F7408425FC03074FFE05121C4320FD6126F66802528583AB7A54D3FABBA3E70EB1D9DABFA816EBAFFD9
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/aarch64.elf.
    Process:/tmp/aarch64.elf
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):17
    Entropy (8bit):3.8521687236032816
    Encrypted:false
    SSDEEP:3:Tg80l:Tg8c
    MD5:6EA4D0DB8D845A86C7B09CF0667A2CB5
    SHA1:CE980AAA61B3974BA1C86B48D56CAA6A2BE3E9A1
    SHA-256:9AA96AD31F9C5CB1D9FAA1939C33156D29F6EB7FF422C58541452493FEA19ECD
    SHA-512:A43E0EF92BDE7860BB256540693113AE6594F12017132F7408425FC03074FFE05121C4320FD6126F66802528583AB7A54D3FABBA3E70EB1D9DABFA816EBAFFD9
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/aarch64.elf.

    Static File Info

    General

    File type:ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.263246686024213
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:aarch64.elf
    File size:92'032 bytes
    MD5:272651b8ad5ac62492d655eeb5261109
    SHA1:72699dd6149dd52f2f15dca311654e1d05da30b2
    SHA256:8c3beeb8199598c4c9bcd92fd9c8359c0b252e002c09cd2435d5d69929b047bc
    SHA512:acc2abd9ed4533bc898d3c4fe6bae0b2d7f473bf9e5c36c6ca6d60fce3bbe2083f315d747aab4398baf5c5bffaf74a54815a642b97f354c29c420cc2a6371df1
    SSDEEP:768:Jy33Zl7q56siynbEiPfGsIEQUuTCqL2OVSTEoDYuNo5WnO+gd0fHxbjaDWeDUMJL:JUJlOHbffGsOUOL5VE+QqOH5zWkN/hI
    TLSH:FF938CB47A8E7D91D3CBD339DF558A71721FB4E0C6B192A5BE12432DC0D78EA8AD0441
    File Content Preview:.ELF......................@.....@........d..........@.8...@.......................@.......@.....lK......lK......................._......._B......_B..... .......8........................_......._B......_B.............................Q.td...................

    Static ELF Info

    ELF header

    Class:ELF64
    Data:2's complement, little endian
    Version:1 (current)
    Machine:AArch64
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x400ab8
    Flags:0x0
    ELF Header Size:64
    Program Header Offset:64
    Program Header Size:56
    Number of Program Headers:4
    Section Header Offset:91264
    Section Header Size:64
    Number of Section Headers:12
    Header String Table Index:11

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x4001580x1580x100x00x6AX004
    .textPROGBITS0x4001800x1800x12c800x00x6AX0064
    .finiPROGBITS0x412e000x12e000x100x00x6AX004
    .rodataPROGBITS0x412e100x12e100x1d5c0x00x2A0016
    .tbssNOBITS0x425f080x15f080x80x00x403WAT004
    .init_arrayINIT_ARRAY0x425f080x15f080x80x80x3WA008
    .fini_arrayFINI_ARRAY0x425f100x15f100x80x80x3WA008
    .gotPROGBITS0x425f180x15f180xd00x80x3WA008
    .dataPROGBITS0x4260000x160000x4280x00x3WA008
    .bssNOBITS0x4264280x164280x7e180x00x3WA008
    .shstrtabSTRTAB0x00x164280x530x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x14b6c0x14b6c6.55170x5R E0x10000.init .text .fini .rodata
    LOAD0x15f080x425f080x425f080x5200x83382.86090x6RW 0x10000.tbss .init_array .fini_array .got .data .bss
    TLS0x15f080x425f080x425f080x00x80.00000x4R 0x4.tbss
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

    Network Behavior

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Mar 19, 2025 04:15:46.532068014 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:46.537240982 CET53557608.8.8.8192.168.2.15
    Mar 19, 2025 04:15:46.537337065 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:46.537337065 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:46.537380934 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:46.542145967 CET53557608.8.8.8192.168.2.15
    Mar 19, 2025 04:15:46.542192936 CET53557608.8.8.8192.168.2.15
    Mar 19, 2025 04:15:47.020428896 CET53557608.8.8.8192.168.2.15
    Mar 19, 2025 04:15:47.020510912 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:47.158641100 CET53557608.8.8.8192.168.2.15
    Mar 19, 2025 04:15:47.158709049 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:49.020754099 CET53557608.8.8.8192.168.2.15
    Mar 19, 2025 04:15:49.021018982 CET5576053192.168.2.158.8.8.8
    Mar 19, 2025 04:15:49.025867939 CET53557608.8.8.8192.168.2.15

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 19, 2025 04:15:46.537337065 CET192.168.2.158.8.8.80x5c3bStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Mar 19, 2025 04:15:46.537380934 CET192.168.2.158.8.8.80x8e97Standard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 19, 2025 04:15:47.020428896 CET8.8.8.8192.168.2.150x5c3bNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Mar 19, 2025 04:15:47.020428896 CET8.8.8.8192.168.2.150x5c3bNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):03:15:40
    Start date (UTC):19/03/2025
    Path:/tmp/aarch64.elf
    Arguments:/tmp/aarch64.elf
    File size:5706200 bytes
    MD5 hash:02e8e39e1b46472a60d128a6da84a2b8

    File Activities

    Process Activities

    System Activities

    Network Activities


    General

    Start time (UTC):03:15:43
    Start date (UTC):19/03/2025
    Path:/tmp/aarch64.elf
    Arguments:-
    File size:5706200 bytes
    MD5 hash:02e8e39e1b46472a60d128a6da84a2b8

    File Activities

    Process Activities

    Network Activities