Edit tour

Linux Analysis Report
Space.x86_64.elf

Overview

General Information

Sample name:Space.x86_64.elf
Analysis ID:1644262
MD5:49303f53497fc1ff83a79131e081e29c
SHA1:fc6fdb218354523af716ef05c9acc70683ac5d17
SHA256:ad93d00ea4138c10f9e0177b2aa75682e9b7d589f42f0ad87d033b840767f656
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644262
Start date and time:2025-03-20 13:54:57 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Space.x86_64.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@0/0
Command:/tmp/Space.x86_64.elf
PID:5484
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
5490.1.0000000000400000.0000000000413000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5490.1.0000000000400000.0000000000413000.r-x.sdmpLinux_Trojan_Mirai_564b8edaunknownunknown
  • 0x49b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C1 83 FE 01
5486.1.0000000000400000.0000000000413000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5486.1.0000000000400000.0000000000413000.r-x.sdmpLinux_Trojan_Mirai_564b8edaunknownunknown
  • 0x49b2:$a: 83 FE 01 76 12 0F B7 07 83 EE 02 48 83 C7 02 48 01 C1 83 FE 01
5484.1.0000000000400000.0000000000413000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xfeb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfecc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfee0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfef4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xff94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffa8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xffe4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xfff8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1000c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10020:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10034:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x10048:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 7 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Space.x86_64.elfVirustotal: Detection: 40%Perma Link
Source: Space.x86_64.elfReversingLabs: Detection: 41%
Source: global trafficTCP traffic: 192.168.2.14:51296 -> 209.97.147.158:3778
Source: global trafficTCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
Source: Space.x86_64.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 46540 -> 443

System Summary

barindex
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 5486.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5486.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 5484.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5484.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 5485.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5485.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: Process Memory Space: Space.x86_64.elf PID: 5484, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.x86_64.elf PID: 5485, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.x86_64.elf PID: 5486, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.x86_64.elf PID: 5490, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0x400000
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5490.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 5486.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5486.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 5484.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5484.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 5485.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5485.1.0000000000400000.0000000000413000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: Process Memory Space: Space.x86_64.elf PID: 5484, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.x86_64.elf PID: 5485, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.x86_64.elf PID: 5486, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.x86_64.elf PID: 5490, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1583/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/2672/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/110/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/111/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/112/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/113/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/234/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1577/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/114/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/235/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/115/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/116/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/117/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/118/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3630/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/119/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3753/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3754/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3755/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3756/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/10/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/917/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/11/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/12/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/13/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/14/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/15/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/16/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/17/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/18/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/19/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1593/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/240/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/120/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3094/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/121/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/242/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3406/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/122/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/243/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/2/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/123/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/244/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1589/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/124/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/245/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1588/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/125/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/4/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/246/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3402/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/126/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/5/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/247/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/127/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/6/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/248/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/128/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/7/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/249/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/8/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/129/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/800/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/9/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/801/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/803/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/20/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/806/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/21/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/807/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/928/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/22/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/23/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/24/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/25/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/26/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/27/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/28/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/29/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3420/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/490/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/250/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/130/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/251/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/131/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/252/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/132/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/253/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/254/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/255/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/135/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/256/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1599/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/257/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/378/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/258/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/3412/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/259/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/30/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/35/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/1371/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/260/statusJump to behavior
Source: /tmp/Space.x86_64.elf (PID: 5484)File opened: /proc/261/statusJump to behavior
Source: Space.x86_64.elfSubmission file: segment LOAD with 7.9624 entropy (max. 8.0)
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information
1
OS Credential Dumping
System Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644262 Sample: Space.x86_64.elf Startdate: 20/03/2025 Architecture: LINUX Score: 60 20 209.97.147.158, 3778 DIGITALOCEAN-ASNUS United States 2->20 22 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Sample is packed with UPX 2->28 8 Space.x86_64.elf 2->8         started        signatures3 process4 process5 10 Space.x86_64.elf 8->10         started        12 Space.x86_64.elf 8->12         started        14 Space.x86_64.elf 8->14         started        process6 16 Space.x86_64.elf 10->16         started        18 Space.x86_64.elf 10->18         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Space.x86_64.elf40%VirustotalBrowse
Space.x86_64.elf42%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netSpace.x86_64.elffalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    185.125.190.26
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    209.97.147.158
    unknownUnited States
    14061DIGITALOCEAN-ASNUSfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    185.125.190.26sshd.elfGet hashmaliciousUnknownBrowse
      .5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
        yakuza.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
          .5r3fqt67ew531has4231.arm5.elfGet hashmaliciousUnknownBrowse
            main_arm6.elfGet hashmaliciousMiraiBrowse
              main_mips.elfGet hashmaliciousMiraiBrowse
                bot.arm6.elfGet hashmaliciousUnknownBrowse
                  hiss.arm7.elfGet hashmaliciousUnknownBrowse
                    boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                      resgod.arm7.elfGet hashmaliciousMiraiBrowse
                        209.97.147.158Space.sh4.elfGet hashmaliciousUnknownBrowse
                          Space.m68k.elfGet hashmaliciousMiraiBrowse
                            Space.x86.elfGet hashmaliciousUnknownBrowse
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              CANONICAL-ASGBsshd.elfGet hashmaliciousUnknownBrowse
                              • 185.125.190.26
                              Space.sh4.elfGet hashmaliciousUnknownBrowse
                              • 91.189.91.42
                              Space.m68k.elfGet hashmaliciousMiraiBrowse
                              • 91.189.91.42
                              mips.elfGet hashmaliciousUnknownBrowse
                              • 91.189.91.42
                              smips.elfGet hashmaliciousUnknownBrowse
                              • 91.189.91.42
                              psmpsl.elfGet hashmaliciousUnknownBrowse
                              • 91.189.91.42
                              .5r3fqt67ew531has4231.sh4.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                              • 185.125.190.26
                              yakuza.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 91.189.91.42
                              yakuza.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 91.189.91.42
                              yakuza.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 185.125.190.26
                              DIGITALOCEAN-ASNUSSpace.sh4.elfGet hashmaliciousUnknownBrowse
                              • 209.97.147.158
                              Space.m68k.elfGet hashmaliciousMiraiBrowse
                              • 209.97.147.158
                              Space.x86.elfGet hashmaliciousUnknownBrowse
                              • 209.97.147.158
                              https://bjpgckrr.ciaxalimited.com/T/?ur=lpOIUYFTDCVBKNLMJIHUGyfbnpohiguyftcgvhBNLKPOIHUGYFCGvhbjknkpojhiugyfvhjbKNLM;KPJOHIGUFYCGOYFTGUHIJDOKFLMEKNJBHYG478U9I3OKFJKNGHGRYUH3OKPEFI09U8Y7GVHBJFNKLG4KPI0U9Y87GYFGUHI4GJONK4YBJEVGUHIOJNK4BJEVUGHIJOY8T7F6DTXCGHVJBKNOJGet hashmaliciousUnknownBrowse
                              • 165.22.210.101
                              http://fliqlo.appGet hashmaliciousUnknownBrowse
                              • 161.35.127.181
                              task1.exeGet hashmaliciousEmotetBrowse
                              • 134.209.36.254
                              task1.exeGet hashmaliciousEmotetBrowse
                              • 134.209.36.254
                              PvOhS0dkw2.exeGet hashmaliciousRusty StealerBrowse
                              • 157.230.108.102
                              lmdDQiS9l7.exeGet hashmaliciousRusty StealerBrowse
                              • 157.230.108.102
                              DMr2OSOdpq.exeGet hashmaliciousRusty StealerBrowse
                              • 157.230.108.102
                              No context
                              No context
                              No created / dropped files found
                              File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
                              Entropy (8bit):7.960371112175457
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:Space.x86_64.elf
                              File size:37'540 bytes
                              MD5:49303f53497fc1ff83a79131e081e29c
                              SHA1:fc6fdb218354523af716ef05c9acc70683ac5d17
                              SHA256:ad93d00ea4138c10f9e0177b2aa75682e9b7d589f42f0ad87d033b840767f656
                              SHA512:5ed18b4d32a6434d609930f5337d2b49e22c8c9f7baa06cdadb37f1b46bf3723d39a955343bc6a9d23cd18c43e4eff652d2acbeef6550eec1a3d58029c15d217
                              SSDEEP:768:P+4qtvWUAASje6lhaVG5CHb4diYjLMWf5CcWHdbL5fPr8bpZ0JiWx0G:29tvWrASje4wVGigJmFL578bpWJhD
                              TLSH:C7F2E152D96AD93CDA332E7500826B68CF73D0B19442579F4BED629F1E7EE042D0A750
                              File Content Preview:.ELF..............>.....`.@.....@...................@.8...@.......................@.......@....................... ......................Ka......Ka.............................Q.td.....................................................I..UPX!D.......8:..8:.

                              ELF header

                              Class:ELF64
                              Data:2's complement, little endian
                              Version:1 (current)
                              Machine:Advanced Micro Devices X86-64
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:UNIX - System V
                              ABI Version:0
                              Entry Point Address:0x408060
                              Flags:0x0
                              ELF Header Size:64
                              Program Header Offset:64
                              Program Header Size:56
                              Number of Program Headers:3
                              Section Header Offset:0
                              Section Header Size:64
                              Number of Section Headers:0
                              Header String Table Index:0
                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              LOAD0x00x4000000x4000000x919c0x919c7.96240x5R E0x200000
                              LOAD0xb000x614b000x614b000x00x00.00000x6RW 0x1000
                              GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                              Download Network PCAP: filteredfull

                              • Total Packets: 97
                              • 3778 undefined
                              • 443 (HTTPS)
                              TimestampSource PortDest PortSource IPDest IP
                              Mar 20, 2025 13:55:40.620904922 CET512963778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:41.641042948 CET512963778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:43.657020092 CET512963778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:46.018702030 CET512983778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:47.048840046 CET512983778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:47.752856016 CET512963778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:48.520759106 CET46540443192.168.2.14185.125.190.26
                              Mar 20, 2025 13:55:49.064762115 CET512983778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:51.637942076 CET513003778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:52.648739100 CET513003778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:53.128825903 CET512983778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:54.664675951 CET513003778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:57.034029961 CET513023778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:58.056545019 CET513023778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:55:58.760622978 CET513003778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:00.072451115 CET513023778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:02.651242018 CET513043778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:03.656399012 CET513043778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:04.136493921 CET513023778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:05.672382116 CET513043778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:08.045089006 CET513063778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:09.064344883 CET513063778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:09.768284082 CET513043778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:11.080210924 CET513063778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:13.664392948 CET513083778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:14.696222067 CET513083778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:15.144200087 CET513063778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:16.712121964 CET513083778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:18.728096962 CET46540443192.168.2.14185.125.190.26
                              Mar 20, 2025 13:56:19.057868958 CET513103778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:20.072180986 CET513103778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:20.776092052 CET513083778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:22.088218927 CET513103778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:24.677519083 CET513123778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:25.703946114 CET513123778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:26.151966095 CET513103778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:27.719942093 CET513123778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:30.068861008 CET513143778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:31.079811096 CET513143778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:31.783830881 CET513123778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:33.095701933 CET513143778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:35.691745996 CET513163778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:36.711632013 CET513163778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:37.159640074 CET513143778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:38.727710962 CET513163778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:41.081511021 CET513183778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:42.087606907 CET513183778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:42.791455030 CET513163778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:44.103410959 CET513183778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:46.707722902 CET513203778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:47.719403982 CET513203778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:48.167318106 CET513183778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:49.735415936 CET513203778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:52.095649004 CET513223778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:53.127340078 CET513223778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:53.799479008 CET513203778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:55.143194914 CET513223778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:57.721978903 CET513243778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:58.727327108 CET513243778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:56:59.175173998 CET513223778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:00.743227959 CET513243778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:03.100220919 CET513263778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:04.103028059 CET513263778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:04.807157993 CET513243778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:06.118921041 CET513263778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:08.736192942 CET513283778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:09.766916990 CET513283778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:10.182929993 CET513263778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:11.782793045 CET513283778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:14.105156898 CET513303778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:15.110794067 CET513303778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:15.814714909 CET513283778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:17.126714945 CET513303778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:19.751471043 CET513323778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:20.774799109 CET513323778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:21.190711975 CET513303778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:22.790731907 CET513323778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:25.116856098 CET513343778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:26.118590117 CET513343778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:26.822443008 CET513323778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:28.134356976 CET513343778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:30.766516924 CET513363778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:31.782500029 CET513363778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:32.198407888 CET513343778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:33.798492908 CET513363778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:36.132632017 CET513383778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:37.158308983 CET513383778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:37.830305099 CET513363778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:39.174247980 CET513383778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:41.781203032 CET513403778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:42.790061951 CET513403778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:43.205986977 CET513383778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:44.806093931 CET513403778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:47.145252943 CET513423778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:48.165980101 CET513423778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:48.837901115 CET513403778192.168.2.14209.97.147.158
                              Mar 20, 2025 13:57:50.182008982 CET513423778192.168.2.14209.97.147.158

                              System Behavior

                              Start time (UTC):12:55:39
                              Start date (UTC):20/03/2025
                              Path:/tmp/Space.x86_64.elf
                              Arguments:/tmp/Space.x86_64.elf
                              File size:37540 bytes
                              MD5 hash:49303f53497fc1ff83a79131e081e29c

                              Start time (UTC):12:55:39
                              Start date (UTC):20/03/2025
                              Path:/tmp/Space.x86_64.elf
                              Arguments:-
                              File size:37540 bytes
                              MD5 hash:49303f53497fc1ff83a79131e081e29c

                              Start time (UTC):12:55:39
                              Start date (UTC):20/03/2025
                              Path:/tmp/Space.x86_64.elf
                              Arguments:-
                              File size:37540 bytes
                              MD5 hash:49303f53497fc1ff83a79131e081e29c

                              Start time (UTC):12:55:39
                              Start date (UTC):20/03/2025
                              Path:/tmp/Space.x86_64.elf
                              Arguments:-
                              File size:37540 bytes
                              MD5 hash:49303f53497fc1ff83a79131e081e29c

                              Start time (UTC):12:55:45
                              Start date (UTC):20/03/2025
                              Path:/tmp/Space.x86_64.elf
                              Arguments:-
                              File size:37540 bytes
                              MD5 hash:49303f53497fc1ff83a79131e081e29c

                              Start time (UTC):12:55:45
                              Start date (UTC):20/03/2025
                              Path:/tmp/Space.x86_64.elf
                              Arguments:-
                              File size:37540 bytes
                              MD5 hash:49303f53497fc1ff83a79131e081e29c