Edit tour

Linux Analysis Report
.5r3fqt67ew531has4231.m68k.elf

Overview

General Information

Sample name:.5r3fqt67ew531has4231.m68k.elf
Analysis ID:1644189
MD5:b2dbd375d0e255505ef6aeadbb7b2d19
SHA1:80e73c3a211280fd6edcc733e6e9bc7d62cbe29e
SHA256:d703cd597f72b8823c7866ac63b7868dc014788607b1e93ffadc8e559df8e351
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai, Moobot, Okiru
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Yara detected Moobot
Yara detected Okiru
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644189
Start date and time:2025-03-20 12:45:21 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 42s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:.5r3fqt67ew531has4231.m68k.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@0/0
Command:/tmp/.5r3fqt67ew531has4231.m68k.elf
PID:6244
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
The_Neko_Government_Initialised_The_Bot
Standard Error:
  • system is lnxubuntu20
  • .5r3fqt67ew531has4231.m68k.elf (PID: 6244, Parent: 6167, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/.5r3fqt67ew531has4231.m68k.elf
    • sh (PID: 6246, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/.5r3fqt67ew531has4231.m68k.elf bin/watchdog; chmod 777 bin/watchdog"
      • sh New Fork (PID: 6252, Parent: 6246)
      • rm (PID: 6252, Parent: 6246, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/watchdog
      • sh New Fork (PID: 6253, Parent: 6246)
      • mkdir (PID: 6253, Parent: 6246, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin
      • sh New Fork (PID: 6254, Parent: 6246)
      • mv (PID: 6254, Parent: 6246, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/.5r3fqt67ew531has4231.m68k.elf bin/watchdog
      • sh New Fork (PID: 6255, Parent: 6246)
      • chmod (PID: 6255, Parent: 6246, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/watchdog
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
MooBotNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot
SourceRuleDescriptionAuthorStrings
.5r3fqt67ew531has4231.m68k.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    .5r3fqt67ew531has4231.m68k.elfJoeSecurity_OkiruYara detected OkiruJoe Security
      .5r3fqt67ew531has4231.m68k.elfJoeSecurity_MoobotYara detected MoobotJoe Security
        .5r3fqt67ew531has4231.m68k.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
          .5r3fqt67ew531has4231.m68k.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            6244.1.00007f008c001000.00007f008c027000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
              6244.1.00007f008c001000.00007f008c027000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
                6244.1.00007f008c001000.00007f008c027000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
                  6244.1.00007f008c001000.00007f008c027000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
                    6244.1.00007f008c001000.00007f008c027000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
                      Click to see the 17 entries
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: .5r3fqt67ew531has4231.m68k.elfAvira: detected
                      Source: .5r3fqt67ew531has4231.m68k.elfVirustotal: Detection: 57%Perma Link
                      Source: .5r3fqt67ew531has4231.m68k.elfReversingLabs: Detection: 50%
                      Source: /tmp/.5r3fqt67ew531has4231.m68k.elf (PID: 6244)Socket: 0.0.0.0:64230Jump to behavior
                      Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
                      Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
                      Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
                      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
                      Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

                      System Summary

                      barindex
                      Source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox
                      Source: Initial sampleString containing 'busybox' found: var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-servershellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetssh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt//proc/self/maps/bin/watchdog/bin/systemdrm -rf && mkdir ; > && mv ; chmod 777 3f
                      Source: ELF static info symbol of initial sample.symtab present: no
                      Source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: classification engineClassification label: mal100.troj.linELF@0/0@0/0
                      Source: /tmp/.5r3fqt67ew531has4231.m68k.elf (PID: 6246)Shell command executed: sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/.5r3fqt67ew531has4231.m68k.elf bin/watchdog; chmod 777 bin/watchdog"Jump to behavior
                      Source: /bin/sh (PID: 6255)Chmod executable: /usr/bin/chmod -> chmod 777 bin/watchdogJump to behavior
                      Source: /bin/sh (PID: 6253)Mkdir executable: /usr/bin/mkdir -> mkdir binJump to behavior
                      Source: /bin/sh (PID: 6252)Rm executable: /usr/bin/rm -> rm -rf bin/watchdogJump to behavior
                      Source: /usr/bin/chmod (PID: 6255)File: /tmp/bin/watchdog (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
                      Source: /bin/sh (PID: 6255)Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/watchdogJump to behavior
                      Source: /tmp/.5r3fqt67ew531has4231.m68k.elf (PID: 6244)Queries kernel information via 'uname': Jump to behavior
                      Source: .5r3fqt67ew531has4231.m68k.elf, 6244.1.0000557be6c58000.0000557be6cdd000.rw-.sdmp, .5r3fqt67ew531has4231.m68k.elf, 6256.1.0000557be6c58000.0000557be6cdd000.rw-.sdmpBinary or memory string: {U!/etc/qemu-binfmt/m68k
                      Source: .5r3fqt67ew531has4231.m68k.elf, 6244.1.00007ffe65d43000.00007ffe65d64000.rw-.sdmp, .5r3fqt67ew531has4231.m68k.elf, 6256.1.00007ffe65d43000.00007ffe65d64000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
                      Source: .5r3fqt67ew531has4231.m68k.elf, 6244.1.00007ffe65d43000.00007ffe65d64000.rw-.sdmp, .5r3fqt67ew531has4231.m68k.elf, 6256.1.00007ffe65d43000.00007ffe65d64000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-m68k/tmp/.5r3fqt67ew531has4231.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.5r3fqt67ew531has4231.m68k.elf
                      Source: .5r3fqt67ew531has4231.m68k.elf, 6244.1.0000557be6c58000.0000557be6cdd000.rw-.sdmp, .5r3fqt67ew531has4231.m68k.elf, 6256.1.0000557be6c58000.0000557be6cdd000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
                      Source: .5r3fqt67ew531has4231.m68k.elf, 6256.1.00007ffe65d43000.00007ffe65d64000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.m68k.elf, type: SAMPLE
                      Source: Yara matchFile source: 6244.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6256.1.00007f008c001000.00007f008c027000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6244, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.m68k.elf PID: 6256, type: MEMORYSTR
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting
                      Valid AccountsWindows Management Instrumentation1
                      Scripting
                      Path Interception2
                      File and Directory Permissions Modification
                      OS Credential Dumping11
                      Security Software Discovery
                      Remote ServicesData from Local System1
                      Encrypted Channel
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      File Deletion
                      LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                      Application Layer Protocol
                      Exfiltration Over BluetoothNetwork Denial of Service
                      No configs have been found
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Number of created Files
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644189 Sample: .5r3fqt67ew531has4231.m68k.elf Startdate: 20/03/2025 Architecture: LINUX Score: 100 24 109.202.202.202, 80 INIT7CH Switzerland 2->24 26 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->26 28 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 8 .5r3fqt67ew531has4231.m68k.elf 2->8         started        signatures3 process4 process5 10 .5r3fqt67ew531has4231.m68k.elf sh 8->10         started        12 .5r3fqt67ew531has4231.m68k.elf 8->12         started        process6 14 sh rm 10->14         started        16 sh mkdir 10->16         started        18 sh mv 10->18         started        20 sh chmod 10->20         started        22 .5r3fqt67ew531has4231.m68k.elf 12->22         started       
                      SourceDetectionScannerLabelLink
                      .5r3fqt67ew531has4231.m68k.elf57%VirustotalBrowse
                      .5r3fqt67ew531has4231.m68k.elf50%ReversingLabsLinux.Trojan.Mirai
                      .5r3fqt67ew531has4231.m68k.elf100%AviraLINUX/Mirai.bonb
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches

                      Download Network PCAP: filteredfull

                      No contacted domains info
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      109.202.202.202
                      unknownSwitzerland
                      13030INIT7CHfalse
                      91.189.91.43
                      unknownUnited Kingdom
                      41231CANONICAL-ASGBfalse
                      91.189.91.42
                      unknownUnited Kingdom
                      41231CANONICAL-ASGBfalse
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                      • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                      91.189.91.43.5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                        main_m68k.elfGet hashmaliciousMiraiBrowse
                          m68k.elfGet hashmaliciousUnknownBrowse
                            x86.elfGet hashmaliciousMiraiBrowse
                              arm6.elfGet hashmaliciousMiraiBrowse
                                main_mpsl.elfGet hashmaliciousMiraiBrowse
                                  bot.ppc.elfGet hashmaliciousUnknownBrowse
                                    bot.arm.elfGet hashmaliciousUnknownBrowse
                                      bot.arm5.elfGet hashmaliciousUnknownBrowse
                                        main_ppc.elfGet hashmaliciousMiraiBrowse
                                          91.189.91.42.5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                                            main_m68k.elfGet hashmaliciousMiraiBrowse
                                              main_x86.elfGet hashmaliciousMiraiBrowse
                                                main_mips.elfGet hashmaliciousMiraiBrowse
                                                  m68k.elfGet hashmaliciousUnknownBrowse
                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                      arm6.elfGet hashmaliciousMiraiBrowse
                                                        main_mpsl.elfGet hashmaliciousMiraiBrowse
                                                          bot.ppc.elfGet hashmaliciousUnknownBrowse
                                                            bot.arm.elfGet hashmaliciousUnknownBrowse
                                                              No context
                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CANONICAL-ASGB.5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              .5r3fqt67ew531has4231.arm5.elfGet hashmaliciousUnknownBrowse
                                                              • 185.125.190.26
                                                              main_arm6.elfGet hashmaliciousMiraiBrowse
                                                              • 185.125.190.26
                                                              main_m68k.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              main_x86.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              main_mips.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              m68k.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              x86.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              arm6.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              main_mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              CANONICAL-ASGB.5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              .5r3fqt67ew531has4231.arm5.elfGet hashmaliciousUnknownBrowse
                                                              • 185.125.190.26
                                                              main_arm6.elfGet hashmaliciousMiraiBrowse
                                                              • 185.125.190.26
                                                              main_m68k.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              main_x86.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              main_mips.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              m68k.elfGet hashmaliciousUnknownBrowse
                                                              • 91.189.91.42
                                                              x86.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              arm6.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              main_mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 91.189.91.42
                                                              INIT7CH.5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              main_m68k.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              main_x86.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              main_mips.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              m68k.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              x86.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              arm6.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              main_mpsl.elfGet hashmaliciousMiraiBrowse
                                                              • 109.202.202.202
                                                              bot.ppc.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              bot.arm.elfGet hashmaliciousUnknownBrowse
                                                              • 109.202.202.202
                                                              No context
                                                              No context
                                                              No created / dropped files found
                                                              File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
                                                              Entropy (8bit):5.868355347431482
                                                              TrID:
                                                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                              File name:.5r3fqt67ew531has4231.m68k.elf
                                                              File size:173'600 bytes
                                                              MD5:b2dbd375d0e255505ef6aeadbb7b2d19
                                                              SHA1:80e73c3a211280fd6edcc733e6e9bc7d62cbe29e
                                                              SHA256:d703cd597f72b8823c7866ac63b7868dc014788607b1e93ffadc8e559df8e351
                                                              SHA512:11b4f03c9042875f1c0b5cf1678c2d1c78ba90082afc04d55849d84ed4c10ca0600d7baaf550c53f91b9e053664d2c9756dbf94ccfe3984571d9dcfbb227fcc0
                                                              SSDEEP:3072:zdIFFpCzPzXm4D0oAIB1f4R7ca8EYgqVKjbiCLIq5UyOx8JheTBnK4j:oYz3Y5IB1f4VcyYgLLkyOuheJKk
                                                              TLSH:880438C7F800DDBDF80AF33B48570925B170BBA111925B37625779ABEC3A1991827EC6
                                                              File Content Preview:.ELF.......................D...4.........4. ...(......................[...[....... .......[...{...{...I8.......... .dt.Q............................NV..a....da...!$N^NuNV..J9...Pf>"y..{D QJ.g.X.#...{DN."y..{D QJ.f.A.....J.g.Hy..[.N.X........PN^NuNV..N^NuN

                                                              ELF header

                                                              Class:ELF32
                                                              Data:2's complement, big endian
                                                              Version:1 (current)
                                                              Machine:MC68000
                                                              Version Number:0x1
                                                              Type:EXEC (Executable file)
                                                              OS/ABI:UNIX - System V
                                                              ABI Version:0
                                                              Entry Point Address:0x80000144
                                                              Flags:0x0
                                                              ELF Header Size:52
                                                              Program Header Offset:52
                                                              Program Header Size:32
                                                              Number of Program Headers:3
                                                              Section Header Offset:173200
                                                              Section Header Size:40
                                                              Number of Section Headers:10
                                                              Header String Table Index:9
                                                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                              NULL0x00x00x00x00x0000
                                                              .initPROGBITS0x800000940x940x140x00x6AX002
                                                              .textPROGBITS0x800000a80xa80x2214e0x00x6AX004
                                                              .finiPROGBITS0x800221f60x221f60xe0x00x6AX002
                                                              .rodataPROGBITS0x800222040x222040x390f0x00x2A002
                                                              .ctorsPROGBITS0x80027b180x25b180xc0x00x3WA004
                                                              .dtorsPROGBITS0x80027b240x25b240x80x00x3WA004
                                                              .dataPROGBITS0x80027b400x25b400x49100x00x3WA0032
                                                              .bssNOBITS0x8002c4500x2a4500x46c00x00x3WA004
                                                              .shstrtabSTRTAB0x00x2a4500x3e0x00x0001
                                                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                              LOAD0x00x800000000x800000000x25b130x25b136.25440x5R E0x2000.init .text .fini .rodata
                                                              LOAD0x25b180x80027b180x80027b180x49380x8ff80.44710x6RW 0x2000.ctors .dtors .data .bss
                                                              GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                              Download Network PCAP: filteredfull

                                                              • Total Packets: 7
                                                              • 443 (HTTPS)
                                                              • 80 (HTTP)
                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 20, 2025 12:46:13.296994925 CET43928443192.168.2.2391.189.91.42
                                                              Mar 20, 2025 12:46:18.672290087 CET42836443192.168.2.2391.189.91.43
                                                              Mar 20, 2025 12:46:19.440385103 CET4251680192.168.2.23109.202.202.202
                                                              Mar 20, 2025 12:46:34.798016071 CET43928443192.168.2.2391.189.91.42
                                                              Mar 20, 2025 12:46:45.036705971 CET42836443192.168.2.2391.189.91.43
                                                              Mar 20, 2025 12:46:49.132009983 CET4251680192.168.2.23109.202.202.202
                                                              Mar 20, 2025 12:47:15.752438068 CET43928443192.168.2.2391.189.91.42

                                                              System Behavior

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/tmp/.5r3fqt67ew531has4231.m68k.elf
                                                              Arguments:/tmp/.5r3fqt67ew531has4231.m68k.elf
                                                              File size:4463432 bytes
                                                              MD5 hash:cd177594338c77b895ae27c33f8f86cc

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/tmp/.5r3fqt67ew531has4231.m68k.elf
                                                              Arguments:-
                                                              File size:4463432 bytes
                                                              MD5 hash:cd177594338c77b895ae27c33f8f86cc

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/bin/sh
                                                              Arguments:sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/.5r3fqt67ew531has4231.m68k.elf bin/watchdog; chmod 777 bin/watchdog"
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/bin/sh
                                                              Arguments:-
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/rm
                                                              Arguments:rm -rf bin/watchdog
                                                              File size:72056 bytes
                                                              MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/bin/sh
                                                              Arguments:-
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/mkdir
                                                              Arguments:mkdir bin
                                                              File size:88408 bytes
                                                              MD5 hash:088c9d1df5a28ed16c726eca15964cb7

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/bin/sh
                                                              Arguments:-
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/mv
                                                              Arguments:mv /tmp/.5r3fqt67ew531has4231.m68k.elf bin/watchdog
                                                              File size:149888 bytes
                                                              MD5 hash:504f0590fa482d4da070a702260e3716

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/bin/sh
                                                              Arguments:-
                                                              File size:129816 bytes
                                                              MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/usr/bin/chmod
                                                              Arguments:chmod 777 bin/watchdog
                                                              File size:63864 bytes
                                                              MD5 hash:739483b900c045ae1374d6f53a86a279

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/tmp/.5r3fqt67ew531has4231.m68k.elf
                                                              Arguments:-
                                                              File size:4463432 bytes
                                                              MD5 hash:cd177594338c77b895ae27c33f8f86cc

                                                              Start time (UTC):11:46:14
                                                              Start date (UTC):20/03/2025
                                                              Path:/tmp/.5r3fqt67ew531has4231.m68k.elf
                                                              Arguments:-
                                                              File size:4463432 bytes
                                                              MD5 hash:cd177594338c77b895ae27c33f8f86cc