Edit tour

Linux Analysis Report
46.19.143.26-mips-2025-03-01T06_09_25.elf

Overview

General Information

Sample name:	46.19.143.26-mips-2025-03-01T06_09_25.elf
Analysis ID:	1644706
MD5:	a618f8a57f8b7816072bfd697a345f50
SHA1:	11fa49e2c99138d12e4b266fceba5f73113e0952
SHA256:	787da52743cd187df1353d1f85f243cf98d01d65466034d0cbd99900274ba0a2
Tags:	elfuser-threatquery
Infos:

Detection

Score:	60
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1644706
Start date and time:	2025-03-20 21:17:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	46.19.143.26-mips-2025-03-01T06_09_25.elf
Detection:	MAL
Classification:	mal60.troj.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf
PID:	5501
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life
Standard Error:

Process Tree

system is lnxubuntu20

46.19.143.26-mips-2025-03-01T06_09_25.elf (PID: 5501, Parent: 5422, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf

46.19.143.26-mips-2025-03-01T06_09_25.elf New Fork (PID: 5503, Parent: 5501)

dash New Fork (PID: 5507, Parent: 3632)

rm (PID: 5507, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.mEkGBMS8sb /tmp/tmp.qcBubsum5M /tmp/tmp.7pqsYHy482

dash New Fork (PID: 5508, Parent: 3632)

cat (PID: 5508, Parent: 3632, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.mEkGBMS8sb

dash New Fork (PID: 5509, Parent: 3632)

head (PID: 5509, Parent: 3632, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5510, Parent: 3632)

tr (PID: 5510, Parent: 3632, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5511, Parent: 3632)

cut (PID: 5511, Parent: 3632, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5512, Parent: 3632)

cat (PID: 5512, Parent: 3632, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.mEkGBMS8sb

dash New Fork (PID: 5513, Parent: 3632)

head (PID: 5513, Parent: 3632, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5514, Parent: 3632)

tr (PID: 5514, Parent: 3632, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5515, Parent: 3632)

cut (PID: 5515, Parent: 3632, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5518, Parent: 3632)

rm (PID: 5518, Parent: 3632, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.mEkGBMS8sb /tmp/tmp.qcBubsum5M /tmp/tmp.7pqsYHy482

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf

ReversingLabs: Detection: 16%

Source: unknown

HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.14:34592 version: TLS 1.2

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 209.200.246.178 ports 50749,56190,5102,7680,29486,7679,12016,41763,49722,40237,44859,8080,35086,40217,0,64839,50182,3,26141,54780,30751,5,6,50464,8,47563,52962

Source: global traffic

TCP traffic: 192.168.2.14:39854 -> 209.200.246.178:35086

Source: /tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf (PID: 5503)

Socket: 127.0.0.1:22448

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178
Source: unknown	TCP traffic detected without corresponding DNS query: 209.200.246.178

Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf, 5501.1.00007f49f0455000.00007f49f045c000.rw-.sdmp

String found in binary or memory: http://0/t/wget.sh

Source: unknown	Network traffic detected: HTTP traffic on port 34592 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 34592
Source: unknown	Network traffic detected: HTTP traffic on port 46540 -> 443

Source: unknown

HTTPS traffic detected: 54.217.10.153:443 -> 192.168.2.14:34592 version: TLS 1.2

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal60.troj.linELF@0/0@0/0

Source: /usr/bin/dash (PID: 5507)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.mEkGBMS8sb /tmp/tmp.qcBubsum5M /tmp/tmp.7pqsYHy482			Jump to behavior
Source: /usr/bin/dash (PID: 5518)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.mEkGBMS8sb /tmp/tmp.qcBubsum5M /tmp/tmp.7pqsYHy482			Jump to behavior

Source: /tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf (PID: 5501)

Queries kernel information via 'uname':

Jump to behavior

Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf, 5501.1.00007ffde5480000.00007ffde54a1000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/46.19.143.26-mips-2025-03-01T06_09_25.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf
Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf, 5501.1.000055a0cff1e000.000055a0cffa5000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mips
Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf, 5501.1.000055a0cff1e000.000055a0cffa5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: 46.19.143.26-mips-2025-03-01T06_09_25.elf, 5501.1.00007ffde5480000.00007ffde54a1000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
46.19.143.26-mips-2025-03-01T06_09_25.elf	17%	ReversingLabs	Linux.Trojan.Mirai
46.19.143.26-mips-2025-03-01T06_09_25.elf	100%	Avira	EXP/ELF.Agent.J.8

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://0/t/wget.sh	46.19.143.26-mips-2025-03-01T06_09_25.elf, 5501.1.00007f49f0455000.00007f49f045c000.rw-.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.217.10.153	unknown	United States	16509	AMAZON-02US	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
209.200.246.178	unknown	United States	15244	ADDD2NET-INCUS	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.217.10.153	dlr.sh4.elf	Get hash	malicious	Unknown	Browse
	i686.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	miner.elf	Get hash	malicious	Unknown	Browse
	psmips.elf	Get hash	malicious	Unknown	Browse
	yakuza.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	main_x86.elf	Get hash	malicious	Mirai	Browse
	jkse.arm7.elf	Get hash	malicious	Mirai	Browse
	re.bot.mips.elf	Get hash	malicious	Unknown	Browse
	45.126.126.33-sora.arm-2025-03-12T01_48_26.elf	Get hash	malicious	Mirai	Browse
	efea6.elf	Get hash	malicious	Mirai	Browse
185.125.190.26	boatnet.spc.elf	Get hash	malicious	Mirai	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	hiss.mips.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	Space.arm.elf	Get hash	malicious	Mirai	Browse
	Space.mips.elf	Get hash	malicious	Unknown	Browse
	Space.x86_64.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ADDD2NET-INCUS	https://www.bsdnetworks.com/products/bsd-industrial-5-10-100tx-port-ethernet-switch-mini/	Get hash	malicious	Unknown	Browse	66.102.133.150
	armv6l.elf	Get hash	malicious	Mirai	Browse	67.210.119.233
	na.elf	Get hash	malicious	Mirai	Browse	67.210.111.101
	s390x.elf	Get hash	malicious	Miori	Browse	209.200.246.150
	x86.elf	Get hash	malicious	Miori	Browse	209.200.246.150
	ppc.elf	Get hash	malicious	Miori	Browse	209.200.246.150
	mips.elf	Get hash	malicious	Miori	Browse	209.200.246.150
	ppc64.elf	Get hash	malicious	Miori	Browse	209.200.246.150
	mpsl.elf	Get hash	malicious	Miori	Browse	209.200.246.150
	armv4l.elf	Get hash	malicious	Miori	Browse	209.200.246.150
CANONICAL-ASGB	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
AMAZON-02US	na.elf	Get hash	malicious	Prometei	Browse	54.255.164.76
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	linux_mipsel_softfloat.elf	Get hash	malicious	Chaos	Browse	34.243.160.129
	https://emails.certa.in/ls/click?upn=u001.iAjcacKhDdX1J4JfQQ5nTBv8arrhNwbSC7Z7YOpbCzfgf-2F84h8udo2F8ceDYH2vesCwn_GwWzR5CPD3uhhoxi7nJtY0-2BQC5TKRtJEXtldUtgGNIXSt8nXiShm6hsa2YaABYh2TZC0v3L7cn9ITurcFtVWlGPrJKRiGHy55d4ptGe15usxcMP6zq8V3IQhE28-2BM1xOhJcGK0RN4pv-2FEdooxiSuAEwYysS6PaDKeDMM5SJj2o26oYst5kZF78CMofBrxC-2Bi3268dPgaFTamsKxmM-2BD7k4t1pfdYwsonFNKuuXTxy7VSHXUKdlwhQquRpB3peBAlnuvIAbNYmjvW3gwhEzYKRNejWDpA5LmNQWEZU72fo9GCUxILqTTrUrVMZv8YssJOAbKOC7shgIUBR8JCEosIu1LpVzKwthWgcNoeLhwSmbfaEpMRbHIGim8a-2BoUsZet4	Get hash	malicious	Unknown	Browse	18.238.80.19
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	na.elf	Get hash	malicious	Prometei	Browse	54.255.164.76
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	https://techresearchs.benchurl.com/c/l?u=12450653&e=199143A&c=163607&&t=0&l=12689B51E&email=VHWZIWwomIKWc0sY%2B8V5agif8GG0Zxj9&seq=1	Get hash	malicious	Unknown	Browse	54.76.75.65
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb4726d465c5f28b84cd6d14cedd13a7	yakuza.m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.217.10.153
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	54.217.10.153
	na.elf	Get hash	malicious	Prometei	Browse	54.217.10.153
	gz55G7deop.elf	Get hash	malicious	Gafgyt	Browse	54.217.10.153
	fr1iFcTPUY.elf	Get hash	malicious	Mirai	Browse	54.217.10.153
	muAZlKU0hq.elf	Get hash	malicious	Mirai	Browse	54.217.10.153
	M88FIQFvyo.elf	Get hash	malicious	Mirai	Browse	54.217.10.153
	9Iakt8wQQ7.elf	Get hash	malicious	Gafgyt	Browse	54.217.10.153
	x7Z7EQGweF.elf	Get hash	malicious	Mirai	Browse	54.217.10.153
	g058ub3UiN.elf	Get hash	malicious	Mirai	Browse	54.217.10.153

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.45974479181573
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	46.19.143.26-mips-2025-03-01T06_09_25.elf
File size:	85'208 bytes
MD5:	a618f8a57f8b7816072bfd697a345f50
SHA1:	11fa49e2c99138d12e4b266fceba5f73113e0952
SHA256:	787da52743cd187df1353d1f85f243cf98d01d65466034d0cbd99900274ba0a2
SHA512:	4342bce39ec4a6b1cfa99b25e79a2286850f549738396b3c580efe579cc9c14d6a2ac35f33fd581a0439d7cf0ff5f081bde8278b1da32d63b9e4d1c4ada80856
SSDEEP:	1536:gwKtyU1Q4Rj6JJCS7AQ3r90k1TI+Vh9QoQr5eKIpI:gwKtyU1Q4RjvQ7tVh932rIpI
TLSH:	B883FA5E2E719FADF229C33447B74B3297A823D523E1C685D26CD2111F6028EA45FBB4
File Content Preview:	.ELF.....................@.`...4..J......4. ...(.............@...@....60..60..............@..E@..E@.......l.........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'..X...!........'9.

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	84728
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x119a0	0x0	0x6	AX	16
.fini	PROGBITS	0x411ac0	0x11ac0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x411b20	0x11b20	0x1b10	0x0	0x2	A	16
.ctors	PROGBITS	0x454000	0x14000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x454008	0x14008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x454020	0x14020	0x42c	0x0	0x3	WA	16
.got	PROGBITS	0x454450	0x14450	0x65c	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x454aac	0x14aac	0x14	0x0	0x10000003	WAp	4
.bss	NOBITS	0x454ac0	0x14aac	0x6144	0x0	0x3	WA	16
.shstrtab	STRTAB	0x0	0x14aac	0x49	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x13630	0x13630	5.6274	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x14000	0x454000	0x454000	0xaac	0x6c04	3.2671	0x6	RW	0x10000	.ctors .dtors .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2025 21:17:56.400311947 CET	39854	35086	192.168.2.14	209.200.246.178
Mar 20, 2025 21:17:56.514090061 CET	35086	39854	209.200.246.178	192.168.2.14
Mar 20, 2025 21:17:58.407047033 CET	53156	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:17:58.515537024 CET	29486	53156	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:00.409739017 CET	34624	64839	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:00.424556017 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:00.518436909 CET	64839	34624	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:00.661266088 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:00.661580086 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:00.663053036 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:00.896025896 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:02.412812948 CET	43364	40237	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:02.527293921 CET	40237	43364	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:03.701464891 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:03.701524019 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:03.701565027 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:03.701603889 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:03.701638937 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:03.701675892 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:03.702147007 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.702147007 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.702147007 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.702147961 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.702147961 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.702147961 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.703403950 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:03.936201096 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.015155077 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.015592098 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.015592098 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.256395102 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.257788897 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.257831097 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.257952929 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.257953882 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.259104013 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.417726994 CET	52724	26141	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:04.495860100 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.495920897 CET	443	34592	54.217.10.153	192.168.2.14
Mar 20, 2025 21:18:04.496083975 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.496084929 CET	34592	443	192.168.2.14	54.217.10.153
Mar 20, 2025 21:18:04.524936914 CET	26141	52724	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:06.423521996 CET	53164	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:06.534734011 CET	29486	53164	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:07.080518007 CET	46540	443	192.168.2.14	185.125.190.26
Mar 20, 2025 21:18:08.427403927 CET	53166	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:08.539618969 CET	29486	53166	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:10.432982922 CET	54344	41763	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:10.549746037 CET	41763	54344	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:12.440623999 CET	37940	50749	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:12.554594040 CET	50749	37940	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:14.448025942 CET	46784	47563	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:14.560844898 CET	47563	46784	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:16.452464104 CET	53312	50182	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:16.564572096 CET	50182	53312	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:18.457432032 CET	36126	7680	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:18.573534012 CET	7680	36126	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:20.468904972 CET	53316	50182	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:20.579519987 CET	50182	53316	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:22.475280046 CET	36760	8080	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:22.586697102 CET	8080	36760	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:24.480396032 CET	53506	44859	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:24.594861984 CET	44859	53506	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:26.484636068 CET	37828	54780	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:26.597599983 CET	54780	37828	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:28.489310026 CET	46798	47563	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:28.601181984 CET	47563	46798	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:30.495356083 CET	36138	7680	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:30.606883049 CET	7680	36138	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:32.501946926 CET	39890	35086	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:32.614094973 CET	35086	39890	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:34.507039070 CET	53330	50182	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:34.619405985 CET	50182	53330	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:36.511693001 CET	46806	47563	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:36.628496885 CET	47563	46806	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:37.287239075 CET	46540	443	192.168.2.14	185.125.190.26
Mar 20, 2025 21:18:38.516813993 CET	37966	50749	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:38.630233049 CET	50749	37966	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:40.521049976 CET	49660	40217	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:40.636394024 CET	40217	49660	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:42.524847984 CET	41592	50464	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:42.639252901 CET	50464	41592	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:44.529911041 CET	50222	30751	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:44.642431974 CET	30751	50222	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:46.538758039 CET	44710	52962	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:46.649003983 CET	52962	44710	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:48.544547081 CET	52768	26141	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:48.655869961 CET	26141	52768	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:50.550224066 CET	36246	7679	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:50.664563894 CET	7679	36246	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:52.555202007 CET	52772	26141	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:52.671298981 CET	26141	52772	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:54.559994936 CET	44718	52962	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:54.678879976 CET	52962	44718	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:56.563885927 CET	36094	5102	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:56.679842949 CET	5102	36094	209.200.246.178	192.168.2.14
Mar 20, 2025 21:18:58.567564011 CET	37986	50749	192.168.2.14	209.200.246.178
Mar 20, 2025 21:18:58.678620100 CET	50749	37986	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:00.571930885 CET	43422	40237	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:00.685543060 CET	40237	43422	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:02.576114893 CET	36800	8080	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:02.688519001 CET	8080	36800	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:04.580281973 CET	48230	56190	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:04.691941023 CET	56190	48230	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:06.586071014 CET	36804	8080	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:06.697841883 CET	8080	36804	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:08.591279030 CET	34692	64839	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:08.704355001 CET	64839	34692	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:10.599050045 CET	54404	41763	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:10.709379911 CET	41763	54404	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:12.605704069 CET	53554	44859	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:12.719634056 CET	44859	53554	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:14.611031055 CET	53232	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:14.725776911 CET	29486	53232	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:16.617263079 CET	33434	12016	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:16.728980064 CET	12016	33434	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:18.622982025 CET	52798	26141	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:18.736041069 CET	26141	52798	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:20.628535986 CET	53238	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:20.743305922 CET	29486	53238	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:22.633876085 CET	36120	5102	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:22.746184111 CET	5102	36120	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:24.639858961 CET	43660	49722	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:24.751821995 CET	49722	43660	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:26.645906925 CET	41636	50464	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:26.758333921 CET	50464	41636	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:28.651671886 CET	46858	47563	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:28.763418913 CET	47563	46858	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:30.659543991 CET	44754	52962	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:30.771327019 CET	52962	44754	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:32.664901972 CET	53250	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:32.780029058 CET	29486	53250	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:34.669693947 CET	33452	12016	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:34.783025026 CET	12016	33452	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:36.675069094 CET	52816	26141	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:36.790180922 CET	26141	52816	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:38.679896116 CET	39956	35086	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:38.791893959 CET	35086	39956	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:40.685882092 CET	33458	12016	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:40.801697016 CET	12016	33458	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:42.693399906 CET	36840	8080	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:42.802845001 CET	8080	36840	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:44.698256969 CET	44768	52962	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:44.814630985 CET	52962	44768	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:46.704960108 CET	49726	40217	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:46.816246033 CET	40217	49726	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:48.711216927 CET	36146	5102	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:48.820673943 CET	5102	36146	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:50.717463017 CET	53268	29486	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:50.830132008 CET	29486	53268	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:52.723957062 CET	43474	40237	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:52.835045099 CET	40237	43474	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:54.731256008 CET	54448	41763	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:54.843422890 CET	41763	54448	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:56.736648083 CET	33474	12016	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:56.847273111 CET	12016	33474	209.200.246.178	192.168.2.14
Mar 20, 2025 21:19:58.742814064 CET	53414	50182	192.168.2.14	209.200.246.178
Mar 20, 2025 21:19:58.857625961 CET	50182	53414	209.200.246.178	192.168.2.14

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 20, 2025 21:18:03.701675892 CET	54.217.10.153	443	192.168.2.14	34592	CN=motd.ubuntu.com CN=R11, O=Let's Encrypt, C=US	CN=R11, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	Sun Jan 05 09:21:36 CET 2025 Wed Mar 13 01:00:00 CET 2024	Sat Apr 05 10:21:35 CEST 2025 Sat Mar 13 00:59:59 CET 2027	771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-69-68-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2	fb4726d465c5f28b84cd6d14cedd13a7
Mar 20, 2025 21:18:03.701675892 CET	54.217.10.153	443	192.168.2.14	34592	CN=R11, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Wed Mar 13 01:00:00 CET 2024	Sat Mar 13 00:59:59 CET 2027		fb4726d465c5f28b84cd6d14cedd13a7

System Behavior

Analysis Process: 46.19.143.26-mips-2025-03-01T06_09_25.elf PID: 5501, Parent PID: 5422

General

Start time (UTC):	20:17:55
Start date (UTC):	20/03/2025
Path:	/tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf
Arguments:	/tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: 46.19.143.26-mips-2025-03-01T06_09_25.elf PID: 5503, Parent PID: 5501

General

Start time (UTC):	20:17:55
Start date (UTC):	20/03/2025
Path:	/tmp/46.19.143.26-mips-2025-03-01T06_09_25.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Process Activities

Thread Sleep

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: dash PID: 5507, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5507, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.mEkGBMS8sb /tmp/tmp.qcBubsum5M /tmp/tmp.7pqsYHy482
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 5508, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cat PID: 5508, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.mEkGBMS8sb
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5509, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: head PID: 5509, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5510, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: tr PID: 5510, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5511, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cut PID: 5511, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5512, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cat PID: 5512, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.mEkGBMS8sb
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5513, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: head PID: 5513, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5514, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: tr PID: 5514, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5515, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cut PID: 5515, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5518, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5518, Parent PID: 3632

General

Start time (UTC):	20:18:03
Start date (UTC):	20/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.mEkGBMS8sb /tmp/tmp.qcBubsum5M /tmp/tmp.7pqsYHy482
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report 46.19.143.26-mips-2025-03-01T06_09_25.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTPS Connections

System Behavior

Analysis Process: 46.19.143.26-mips-2025-03-01T06_09_25.elf PID: 5501, Parent PID: 5422

General

File Activities

File Opened

File Read

File Moved

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: 46.19.143.26-mips-2025-03-01T06_09_25.elf PID: 5503, Parent PID: 5501

General

Process Activities

Thread Sleep

Network Activities

Socket Listening

Socket Connecting

Linux Analysis Report
46.19.143.26-mips-2025-03-01T06_09_25.elf