Edit tour

Linux Analysis Report
.5r3fqt67ew531has4231.sh4.elf

Overview

General Information

Sample name:.5r3fqt67ew531has4231.sh4.elf
Analysis ID:1644209
MD5:e2554f6041a3adfce1fe2cfc3cabe286
SHA1:93b6a8c43d3cd8f7974f48289957b0cdbc02b6fb
SHA256:ca7fb435671ebe264074f13ac36b85103f243cfbc207dc497adee44ac453cb5c
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai, Moobot, Okiru
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Yara detected Moobot
Yara detected Okiru
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Sets full permissions to files and/or directories
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644209
Start date and time:2025-03-20 13:05:00 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:.5r3fqt67ew531has4231.sh4.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@2/0
Command:/tmp/.5r3fqt67ew531has4231.sh4.elf
PID:5475
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
The_Neko_Government_Initialised_The_Bot
Standard Error:
  • system is lnxubuntu20
  • .5r3fqt67ew531has4231.sh4.elf (PID: 5475, Parent: 5393, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/.5r3fqt67ew531has4231.sh4.elf
    • sh (PID: 5477, Parent: 5475, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/.5r3fqt67ew531has4231.sh4.elf bin/watchdog; chmod 777 bin/watchdog"
      • sh New Fork (PID: 5483, Parent: 5477)
      • rm (PID: 5483, Parent: 5477, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/watchdog
      • sh New Fork (PID: 5484, Parent: 5477)
      • mkdir (PID: 5484, Parent: 5477, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin
      • sh New Fork (PID: 5485, Parent: 5477)
      • mv (PID: 5485, Parent: 5477, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/.5r3fqt67ew531has4231.sh4.elf bin/watchdog
      • sh New Fork (PID: 5488, Parent: 5477)
      • chmod (PID: 5488, Parent: 5477, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/watchdog
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
MooBotNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot
SourceRuleDescriptionAuthorStrings
.5r3fqt67ew531has4231.sh4.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    .5r3fqt67ew531has4231.sh4.elfJoeSecurity_OkiruYara detected OkiruJoe Security
      .5r3fqt67ew531has4231.sh4.elfJoeSecurity_MoobotYara detected MoobotJoe Security
        .5r3fqt67ew531has4231.sh4.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
          .5r3fqt67ew531has4231.sh4.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            5489.1.00007efd30400000.00007efd3041e000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
              5489.1.00007efd30400000.00007efd3041e000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
                5489.1.00007efd30400000.00007efd3041e000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
                  5489.1.00007efd30400000.00007efd3041e000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
                    5489.1.00007efd30400000.00007efd3041e000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
                      Click to see the 17 entries
                      No Suricata rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: .5r3fqt67ew531has4231.sh4.elfAvira: detected
                      Source: .5r3fqt67ew531has4231.sh4.elfVirustotal: Detection: 43%Perma Link
                      Source: .5r3fqt67ew531has4231.sh4.elfReversingLabs: Detection: 41%
                      Source: /tmp/.5r3fqt67ew531has4231.sh4.elf (PID: 5475)Socket: 0.0.0.0:64230Jump to behavior
                      Source: global trafficTCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
                      Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 48202 -> 443

                      System Summary

                      barindex
                      Source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
                      Source: Initial sampleString containing 'busybox' found: /bin/busybox
                      Source: Initial sampleString containing 'busybox' found: bin/busybox
                      Source: Initial sampleString containing 'busybox' found: var/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetssh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/mapsexe/proc/self/maps/bin/watchdog/bin/systemdbin/busyboxbin/watchdogbin/systemdbinrm -rf && mkdir ; > && mv ; chmod 777 3f
                      Source: ELF static info symbol of initial sample.symtab present: no
                      Source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
                      Source: classification engineClassification label: mal100.troj.linELF@0/0@2/0
                      Source: /tmp/.5r3fqt67ew531has4231.sh4.elf (PID: 5477)Shell command executed: sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/.5r3fqt67ew531has4231.sh4.elf bin/watchdog; chmod 777 bin/watchdog"Jump to behavior
                      Source: /bin/sh (PID: 5488)Chmod executable: /usr/bin/chmod -> chmod 777 bin/watchdogJump to behavior
                      Source: /bin/sh (PID: 5484)Mkdir executable: /usr/bin/mkdir -> mkdir binJump to behavior
                      Source: /bin/sh (PID: 5483)Rm executable: /usr/bin/rm -> rm -rf bin/watchdogJump to behavior
                      Source: /usr/bin/chmod (PID: 5488)File: /tmp/bin/watchdog (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
                      Source: /bin/sh (PID: 5488)Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/watchdogJump to behavior
                      Source: /tmp/.5r3fqt67ew531has4231.sh4.elf (PID: 5475)Queries kernel information via 'uname': Jump to behavior
                      Source: .5r3fqt67ew531has4231.sh4.elf, 5475.1.00007ffcfdef6000.00007ffcfdf17000.rw-.sdmp, .5r3fqt67ew531has4231.sh4.elf, 5489.1.00007ffcfdef6000.00007ffcfdf17000.rw-.sdmpBinary or memory string: \fx86_64/usr/bin/qemu-sh4/tmp/.5r3fqt67ew531has4231.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/.5r3fqt67ew531has4231.sh4.elf
                      Source: .5r3fqt67ew531has4231.sh4.elf, 5489.1.00007ffcfdef6000.00007ffcfdf17000.rw-.sdmpBinary or memory string: ~qemu: uncaught target signal 11 (Segmentation fault) - core dumped
                      Source: .5r3fqt67ew531has4231.sh4.elf, 5475.1.00007ffcfdef6000.00007ffcfdf17000.rw-.sdmp, .5r3fqt67ew531has4231.sh4.elf, 5489.1.00007ffcfdef6000.00007ffcfdf17000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
                      Source: .5r3fqt67ew531has4231.sh4.elf, 5475.1.0000562c40553000.0000562c405d6000.rw-.sdmp, .5r3fqt67ew531has4231.sh4.elf, 5489.1.0000562c40553000.0000562c405d6000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
                      Source: .5r3fqt67ew531has4231.sh4.elf, 5475.1.0000562c40553000.0000562c405d6000.rw-.sdmp, .5r3fqt67ew531has4231.sh4.elf, 5489.1.0000562c40553000.0000562c405d6000.rw-.sdmpBinary or memory string: UU@,V5!/etc/qemu-binfmt/sh4
                      Source: .5r3fqt67ew531has4231.sh4.elf, 5489.1.00007ffcfdef6000.00007ffcfdf17000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTR
                      Source: Yara matchFile source: .5r3fqt67ew531has4231.sh4.elf, type: SAMPLE
                      Source: Yara matchFile source: 5489.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: 5475.1.00007efd30400000.00007efd3041e000.r-x.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5475, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: .5r3fqt67ew531has4231.sh4.elf PID: 5489, type: MEMORYSTR
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting
                      Valid AccountsWindows Management Instrumentation1
                      Scripting
                      Path Interception2
                      File and Directory Permissions Modification
                      OS Credential Dumping11
                      Security Software Discovery
                      Remote ServicesData from Local System1
                      Encrypted Channel
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      File Deletion
                      LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                      Non-Application Layer Protocol
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
                      Application Layer Protocol
                      Automated ExfiltrationData Encrypted for Impact
                      No configs have been found
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Number of created Files
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644209 Sample: .5r3fqt67ew531has4231.sh4.elf Startdate: 20/03/2025 Architecture: LINUX Score: 100 24 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->24 26 daisy.ubuntu.com 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 4 other signatures 2->34 8 .5r3fqt67ew531has4231.sh4.elf 2->8         started        signatures3 process4 process5 10 .5r3fqt67ew531has4231.sh4.elf sh 8->10         started        12 .5r3fqt67ew531has4231.sh4.elf 8->12         started        process6 14 sh rm 10->14         started        16 sh mkdir 10->16         started        18 sh mv 10->18         started        20 sh chmod 10->20         started        22 .5r3fqt67ew531has4231.sh4.elf 12->22         started       
                      SourceDetectionScannerLabelLink
                      .5r3fqt67ew531has4231.sh4.elf44%VirustotalBrowse
                      .5r3fqt67ew531has4231.sh4.elf42%ReversingLabsLinux.Trojan.Mirai
                      .5r3fqt67ew531has4231.sh4.elf100%AviraLINUX/Mirai.bonb
                      No Antivirus matches
                      No Antivirus matches
                      No Antivirus matches

                      Download Network PCAP: filteredfull

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      daisy.ubuntu.com
                      162.213.35.24
                      truefalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        185.125.190.26
                        unknownUnited Kingdom
                        41231CANONICAL-ASGBfalse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.125.190.26yakuza.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                          .5r3fqt67ew531has4231.arm5.elfGet hashmaliciousUnknownBrowse
                            main_arm6.elfGet hashmaliciousMiraiBrowse
                              main_mips.elfGet hashmaliciousMiraiBrowse
                                bot.arm6.elfGet hashmaliciousUnknownBrowse
                                  hiss.arm7.elfGet hashmaliciousUnknownBrowse
                                    boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                      resgod.arm7.elfGet hashmaliciousMiraiBrowse
                                        gigab.i686.elfGet hashmaliciousUnknownBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            daisy.ubuntu.comyakuza.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.25
                                            yakuza.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.24
                                            yakuza.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.24
                                            yakuza.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.24
                                            yakuza.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.25
                                            yakuza.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.25
                                            yakuza.x32.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 162.213.35.25
                                            .5r3fqt67ew531has4231.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 162.213.35.24
                                            .5r3fqt67ew531has4231.arm.elfGet hashmaliciousUnknownBrowse
                                            • 162.213.35.24
                                            .5r3fqt67ew531has4231.mips.elfGet hashmaliciousUnknownBrowse
                                            • 162.213.35.25
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CANONICAL-ASGByakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 91.189.91.42
                                            yakuza.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 185.125.190.26
                                            yakuza.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 91.189.91.42
                                            .5r3fqt67ew531has4231.mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            .5r3fqt67ew531has4231.m68k.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                            • 91.189.91.42
                                            .5r3fqt67ew531has4231.ppc.elfGet hashmaliciousUnknownBrowse
                                            • 91.189.91.42
                                            .5r3fqt67ew531has4231.arm5.elfGet hashmaliciousUnknownBrowse
                                            • 185.125.190.26
                                            main_arm6.elfGet hashmaliciousMiraiBrowse
                                            • 185.125.190.26
                                            main_m68k.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            main_x86.elfGet hashmaliciousMiraiBrowse
                                            • 91.189.91.42
                                            No context
                                            No context
                                            No created / dropped files found
                                            File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                                            Entropy (8bit):6.342889035310581
                                            TrID:
                                            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                            File name:.5r3fqt67ew531has4231.sh4.elf
                                            File size:140'352 bytes
                                            MD5:e2554f6041a3adfce1fe2cfc3cabe286
                                            SHA1:93b6a8c43d3cd8f7974f48289957b0cdbc02b6fb
                                            SHA256:ca7fb435671ebe264074f13ac36b85103f243cfbc207dc497adee44ac453cb5c
                                            SHA512:f4415ef68a712243b21cbb03b46811574614e57aa94bbd56f1b43fd32defdabf20521205a3b0b066cd9f0cfc621a7172724e4ca20833d854d09a0f2797fe152b
                                            SSDEEP:3072:Ge74jNwICtBcOBgJfqKx8HCtBWtB4i3P+wbZno:GeMwjtBcggJfqKaEMt+i3mwRo
                                            TLSH:21D36C72D96A6E64C295C175B0348F393B93A5C082171FBE29A3C2B58087ECDF505BF8
                                            File Content Preview:.ELF..............*.......@.4...."......4. ...(...............@...@...........................B...B.HI..t...........Q.td............................././"O.n........#.*@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

                                            ELF header

                                            Class:ELF32
                                            Data:2's complement, little endian
                                            Version:1 (current)
                                            Machine:<unknown>
                                            Version Number:0x1
                                            Type:EXEC (Executable file)
                                            OS/ABI:UNIX - System V
                                            ABI Version:0
                                            Entry Point Address:0x4001a0
                                            Flags:0x9
                                            ELF Header Size:52
                                            Program Header Offset:52
                                            Program Header Size:32
                                            Number of Program Headers:3
                                            Section Header Offset:139912
                                            Section Header Size:40
                                            Number of Section Headers:11
                                            Header String Table Index:10
                                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                            NULL0x00x00x00x00x0000
                                            .initPROGBITS0x4000940x940x300x00x6AX004
                                            .textPROGBITS0x4000e00xe00x19bc00x00x6AX0032
                                            .finiPROGBITS0x419ca00x19ca00x240x00x6AX004
                                            .rodataPROGBITS0x419cc40x19cc40x3c340x00x2A004
                                            .ctorsPROGBITS0x42d8fc0x1d8fc0xc0x00x3WA004
                                            .dtorsPROGBITS0x42d9080x1d9080x80x00x3WA004
                                            .dataPROGBITS0x42d9200x1d9200x49100x00x3WA0032
                                            .gotPROGBITS0x4322300x222300x140x40x3WA004
                                            .bssNOBITS0x4322440x222440x472c0x00x3WA004
                                            .shstrtabSTRTAB0x00x222440x430x00x0001
                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                            LOAD0x00x4000000x4000000x1d8f80x1d8f86.90620x5R E0x10000.init .text .fini .rodata
                                            LOAD0x1d8fc0x42d8fc0x42d8fc0x49480x90740.41120x6RW 0x10000.ctors .dtors .data .got .bss
                                            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                            Download Network PCAP: filteredfull

                                            • Total Packets: 4
                                            • 443 (HTTPS)
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 20, 2025 13:06:05.326678991 CET48202443192.168.2.13185.125.190.26
                                            Mar 20, 2025 13:06:36.302772999 CET48202443192.168.2.13185.125.190.26
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 20, 2025 13:05:56.209767103 CET4032253192.168.2.138.8.8.8
                                            Mar 20, 2025 13:05:56.209881067 CET3661053192.168.2.138.8.8.8
                                            Mar 20, 2025 13:05:56.302356005 CET53366108.8.8.8192.168.2.13
                                            Mar 20, 2025 13:05:56.302607059 CET53403228.8.8.8192.168.2.13
                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 20, 2025 13:05:56.209767103 CET192.168.2.138.8.8.80x1e0eStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                            Mar 20, 2025 13:05:56.209881067 CET192.168.2.138.8.8.80x42dfStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 20, 2025 13:05:56.302607059 CET8.8.8.8192.168.2.130x1e0eNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                            Mar 20, 2025 13:05:56.302607059 CET8.8.8.8192.168.2.130x1e0eNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                            System Behavior

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/.5r3fqt67ew531has4231.sh4.elf
                                            Arguments:/tmp/.5r3fqt67ew531has4231.sh4.elf
                                            File size:4139976 bytes
                                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/.5r3fqt67ew531has4231.sh4.elf
                                            Arguments:-
                                            File size:4139976 bytes
                                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/bin/sh
                                            Arguments:sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/.5r3fqt67ew531has4231.sh4.elf bin/watchdog; chmod 777 bin/watchdog"
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/bin/sh
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/usr/bin/rm
                                            Arguments:rm -rf bin/watchdog
                                            File size:72056 bytes
                                            MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/bin/sh
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/usr/bin/mkdir
                                            Arguments:mkdir bin
                                            File size:88408 bytes
                                            MD5 hash:088c9d1df5a28ed16c726eca15964cb7

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/bin/sh
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Start time (UTC):12:05:53
                                            Start date (UTC):20/03/2025
                                            Path:/usr/bin/mv
                                            Arguments:mv /tmp/.5r3fqt67ew531has4231.sh4.elf bin/watchdog
                                            File size:149888 bytes
                                            MD5 hash:504f0590fa482d4da070a702260e3716

                                            Start time (UTC):12:05:54
                                            Start date (UTC):20/03/2025
                                            Path:/bin/sh
                                            Arguments:-
                                            File size:129816 bytes
                                            MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                            Start time (UTC):12:05:54
                                            Start date (UTC):20/03/2025
                                            Path:/usr/bin/chmod
                                            Arguments:chmod 777 bin/watchdog
                                            File size:63864 bytes
                                            MD5 hash:739483b900c045ae1374d6f53a86a279

                                            Start time (UTC):12:05:54
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/.5r3fqt67ew531has4231.sh4.elf
                                            Arguments:-
                                            File size:4139976 bytes
                                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                            Start time (UTC):12:05:54
                                            Start date (UTC):20/03/2025
                                            Path:/tmp/.5r3fqt67ew531has4231.sh4.elf
                                            Arguments:-
                                            File size:4139976 bytes
                                            MD5 hash:8943e5f8f8c280467b4472c15ae93ba9