Edit tour

Linux Analysis Report
Space.arm7.elf

Overview

General Information

Sample name:Space.arm7.elf
Analysis ID:1644274
MD5:0a9f354193944c4761e8f672e7a2a531
SHA1:158ffefc5fbbc81b20317fa86366a6070696d48c
SHA256:ac8344b4e42c466581618e96d7533bb37cced16ded02351ff7886f2c16548d20
Tags:elfMiraiuser-abuse_ch
Infos:

Detection

Mirai
Score:68
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644274
Start date and time:2025-03-20 13:59:49 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Space.arm7.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@0/0
Command:/tmp/Space.arm7.elf
PID:5523
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5528.1.00007f705c017000.00007f705c02f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    5528.1.00007f705c017000.00007f705c02f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x1542c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1547c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x154a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x154b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x154cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x154e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x154f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1551c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1556c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15580:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15594:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x155a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x155bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    5523.1.00007f705c017000.00007f705c02f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5523.1.00007f705c017000.00007f705c02f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x1542c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1547c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x154a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x154b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x154cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x154e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x154f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1551c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1556c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15580:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15594:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x155a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x155bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      5526.1.00007f705c017000.00007f705c02f000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        Click to see the 11 entries
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: Space.arm7.elfVirustotal: Detection: 40%Perma Link
        Source: Space.arm7.elfReversingLabs: Detection: 41%
        Source: global trafficTCP traffic: 192.168.2.15:59972 -> 209.97.147.158:3778
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: unknownTCP traffic detected without corresponding DNS query: 209.97.147.158
        Source: Space.arm7.elfString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Source: 5528.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5523.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5526.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5543.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm7.elf PID: 5523, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm7.elf PID: 5526, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm7.elf PID: 5528, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm7.elf PID: 5543, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: 5528.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5523.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5526.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5543.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm7.elf PID: 5523, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm7.elf PID: 5526, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm7.elf PID: 5528, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm7.elf PID: 5543, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/110/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/231/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/111/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/112/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/233/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/113/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/114/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/235/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/115/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1333/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/116/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1695/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/117/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/118/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/119/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/911/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/914/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/10/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/917/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/11/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/12/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/13/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/14/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/15/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/16/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/17/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/18/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/19/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1591/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/120/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/121/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/122/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/243/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/2/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/123/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/3/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/124/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1588/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/125/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/4/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/246/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/126/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/5/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/127/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/6/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1585/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/128/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/7/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/129/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/8/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/800/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/9/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/802/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/803/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/804/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/20/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/21/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/3407/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/22/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/23/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/24/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/25/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/26/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/27/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/28/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/29/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1484/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/490/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/250/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/130/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/251/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/131/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/132/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/133/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1479/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/378/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/258/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/259/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/931/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1595/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/812/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/933/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/30/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/3419/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/35/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/3310/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/260/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/261/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/262/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/142/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/263/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/264/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/265/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/145/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/266/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/267/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/268/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/3303/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/269/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1486/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/1806/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/3440/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/270/statusJump to behavior
        Source: /tmp/Space.arm7.elf (PID: 5523)File opened: /proc/271/statusJump to behavior
        Source: Space.arm7.elfSubmission file: segment LOAD with 7.9737 entropy (max. 8.0)
        Source: /tmp/Space.arm7.elf (PID: 5523)Queries kernel information via 'uname': Jump to behavior
        Source: Space.arm7.elf, 5523.1.00005587383d6000.0000558738624000.rw-.sdmp, Space.arm7.elf, 5526.1.00005587383d6000.0000558738604000.rw-.sdmp, Space.arm7.elf, 5528.1.00005587383d6000.0000558738604000.rw-.sdmp, Space.arm7.elf, 5543.1.00005587383d6000.0000558738624000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
        Source: Space.arm7.elf, 5523.1.00005587383d6000.0000558738624000.rw-.sdmp, Space.arm7.elf, 5526.1.00005587383d6000.0000558738604000.rw-.sdmp, Space.arm7.elf, 5528.1.00005587383d6000.0000558738604000.rw-.sdmp, Space.arm7.elf, 5543.1.00005587383d6000.0000558738624000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: Space.arm7.elf, 5523.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmp, Space.arm7.elf, 5526.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmp, Space.arm7.elf, 5528.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmp, Space.arm7.elf, 5543.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: Space.arm7.elf, 5523.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmp, Space.arm7.elf, 5526.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmp, Space.arm7.elf, 5528.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmp, Space.arm7.elf, 5543.1.00007ffe25bda000.00007ffe25bfb000.rw-.sdmpBinary or memory string: v*x86_64/usr/bin/qemu-arm/tmp/Space.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.arm7.elf

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 5528.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5523.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5526.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5543.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5523, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5526, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5528, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5543, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 5528.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5523.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5526.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5543.1.00007f705c017000.00007f705c02f000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5523, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5526, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5528, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm7.elf PID: 5543, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local System1
        Non-Standard Port
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644274 Sample: Space.arm7.elf Startdate: 20/03/2025 Architecture: LINUX Score: 68 20 209.97.147.158, 3778 DIGITALOCEAN-ASNUS United States 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Mirai 2->26 28 Sample is packed with UPX 2->28 8 Space.arm7.elf 2->8         started        signatures3 process4 process5 10 Space.arm7.elf 8->10         started        12 Space.arm7.elf 8->12         started        14 Space.arm7.elf 8->14         started        process6 16 Space.arm7.elf 10->16         started        18 Space.arm7.elf 10->18         started       

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        Space.arm7.elf41%VirustotalBrowse
        Space.arm7.elf42%ReversingLabsLinux.Backdoor.Mirai
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netSpace.arm7.elffalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          209.97.147.158
          unknownUnited States
          14061DIGITALOCEAN-ASNUSfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          209.97.147.158Space.arm6.elfGet hashmaliciousUnknownBrowse
            Space.mpsl.elfGet hashmaliciousUnknownBrowse
              Space.i686.elfGet hashmaliciousUnknownBrowse
                Space.x86_64.elfGet hashmaliciousUnknownBrowse
                  Space.sh4.elfGet hashmaliciousUnknownBrowse
                    Space.m68k.elfGet hashmaliciousMiraiBrowse
                      Space.x86.elfGet hashmaliciousUnknownBrowse
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        DIGITALOCEAN-ASNUSSpace.arm6.elfGet hashmaliciousUnknownBrowse
                        • 209.97.147.158
                        Space.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 209.97.147.158
                        Space.i686.elfGet hashmaliciousUnknownBrowse
                        • 209.97.147.158
                        Space.x86_64.elfGet hashmaliciousUnknownBrowse
                        • 209.97.147.158
                        Space.sh4.elfGet hashmaliciousUnknownBrowse
                        • 209.97.147.158
                        Space.m68k.elfGet hashmaliciousMiraiBrowse
                        • 209.97.147.158
                        Space.x86.elfGet hashmaliciousUnknownBrowse
                        • 209.97.147.158
                        https://bjpgckrr.ciaxalimited.com/T/?ur=lpOIUYFTDCVBKNLMJIHUGyfbnpohiguyftcgvhBNLKPOIHUGYFCGvhbjknkpojhiugyfvhjbKNLM;KPJOHIGUFYCGOYFTGUHIJDOKFLMEKNJBHYG478U9I3OKFJKNGHGRYUH3OKPEFI09U8Y7GVHBJFNKLG4KPI0U9Y87GYFGUHI4GJONK4YBJEVGUHIOJNK4BJEVUGHIJOY8T7F6DTXCGHVJBKNOJGet hashmaliciousUnknownBrowse
                        • 165.22.210.101
                        http://fliqlo.appGet hashmaliciousUnknownBrowse
                        • 161.35.127.181
                        task1.exeGet hashmaliciousEmotetBrowse
                        • 134.209.36.254
                        No context
                        No context
                        No created / dropped files found
                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
                        Entropy (8bit):7.984230096757256
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:Space.arm7.elf
                        File size:61'844 bytes
                        MD5:0a9f354193944c4761e8f672e7a2a531
                        SHA1:158ffefc5fbbc81b20317fa86366a6070696d48c
                        SHA256:ac8344b4e42c466581618e96d7533bb37cced16ded02351ff7886f2c16548d20
                        SHA512:b78c52d59d1efa295c830846653e221136f0f67d5248cdfc09b0309ebba8c9a2f85e1ef36707a83727f631c96285fef981ab4025ae7c5079264d3e137fdd9622
                        SSDEEP:1536:zVQSmwtMJXmejtJvxLTM5Tfv83KJ2crl2EWq:zVywt8XZXxLgTX83KHl2EWq
                        TLSH:B35302D26440D1E7D79D03BF65A4E843FB6517BC79DA30AB266E825CA093C0878D7BC2
                        File Content Preview:.ELF..............(.........4...........4. ...(.....................m...m................6...6...6..................Q.td...............................OUPX!.........n...n......j..........?.E.h;....#..$...o....P.G.o.....X.*.V......f..T.qh...4.8........8.|i

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - Linux
                        ABI Version:0
                        Entry Point Address:0x11c80
                        Flags:0x4000002
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0
                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x80000x80000xae6d0xae6d7.97370x5R E0x8000
                        LOAD0x36c80x236c80x236c80x00x00.00000x6RW 0x8000
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Download Network PCAP: filteredfull

                        TimestampSource PortDest PortSource IPDest IP
                        Mar 20, 2025 14:00:31.347986937 CET599723778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:32.364324093 CET599723778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:34.379281044 CET599723778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:37.274981022 CET599743778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:38.282985926 CET599743778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:38.634958029 CET599723778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:40.298926115 CET599743778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:42.370338917 CET599763778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:43.370841980 CET599763778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:44.523092031 CET599743778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:45.386905909 CET599763778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:48.334507942 CET599783778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:49.354922056 CET599783778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:49.642677069 CET599763778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:51.372422934 CET599783778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:53.385127068 CET599803778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:54.410512924 CET599803778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:55.530461073 CET599783778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:56.426553011 CET599803778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:00:59.348871946 CET599823778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:00.362350941 CET599823778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:00.650466919 CET599803778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:02.378282070 CET599823778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:04.398797035 CET599843778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:05.418335915 CET599843778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:06.538285971 CET599823778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:07.434187889 CET599843778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:10.363411903 CET599863778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:11.370006084 CET599863778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:11.658104897 CET599843778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:13.385920048 CET599863778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:15.412020922 CET599883778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:16.425831079 CET599883778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:17.545778036 CET599863778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:18.441765070 CET599883778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:21.377753019 CET599903778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:22.409662008 CET599903778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:22.665827036 CET599883778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:24.425584078 CET599903778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:26.425324917 CET599923778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:27.433516026 CET599923778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:28.553540945 CET599903778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:29.449620962 CET599923778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:32.391308069 CET599943778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:33.417325020 CET599943778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:33.673305035 CET599923778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:35.433430910 CET599943778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:37.439460039 CET599963778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:38.441200972 CET599963778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:39.561203957 CET599943778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:40.457379103 CET599963778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:43.405891895 CET599983778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:44.424962044 CET599983778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:44.681062937 CET599963778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:46.440905094 CET599983778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:48.453131914 CET600003778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:49.480986118 CET600003778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:50.568780899 CET599983778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:51.496860981 CET600003778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:54.418940067 CET600023778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:55.432641029 CET600023778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:55.688764095 CET600003778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:57.448571920 CET600023778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:01:59.461241007 CET600043778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:00.488586903 CET600043778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:01.576441050 CET600023778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:02.504515886 CET600043778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:05.426640034 CET600063778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:06.440319061 CET600063778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:06.696369886 CET600043778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:08.456343889 CET600063778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:10.480777979 CET600083778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:11.496321917 CET600083778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:12.584120035 CET600063778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:13.512198925 CET600083778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:16.440148115 CET600103778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:17.447947025 CET600103778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:17.704329967 CET600083778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:19.464037895 CET600103778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:21.494235992 CET600123778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:22.503848076 CET600123778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:23.591763020 CET600103778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:24.519705057 CET600123778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:27.453383923 CET600143778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:28.455612898 CET600143778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:28.711622953 CET600123778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:30.471709013 CET600143778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:32.505451918 CET600163778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:33.511601925 CET600163778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:34.599481106 CET600143778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:35.527376890 CET600163778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:38.466669083 CET600183778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:39.495302916 CET600183778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:39.719252110 CET600163778192.168.2.15209.97.147.158
                        Mar 20, 2025 14:02:41.511167049 CET600183778192.168.2.15209.97.147.158

                        System Behavior

                        Start time (UTC):13:00:30
                        Start date (UTC):20/03/2025
                        Path:/tmp/Space.arm7.elf
                        Arguments:/tmp/Space.arm7.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):13:00:30
                        Start date (UTC):20/03/2025
                        Path:/tmp/Space.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):13:00:30
                        Start date (UTC):20/03/2025
                        Path:/tmp/Space.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):13:00:30
                        Start date (UTC):20/03/2025
                        Path:/tmp/Space.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):13:00:36
                        Start date (UTC):20/03/2025
                        Path:/tmp/Space.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):13:00:36
                        Start date (UTC):20/03/2025
                        Path:/tmp/Space.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1