Edit tour

Linux Analysis Report
arm.elf

Overview

General Information

Sample name:arm.elf
Analysis ID:1644794
MD5:08e536f7f30cb7ddb5346e0015346222
SHA1:6ccba637c8ee7820be537c4d14f35cf015d54453
SHA256:5681f7a57356b2898d90618b5c3791e4ced8fc86fded06805c346615fd1dfac6
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:60
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644794
Start date and time:2025-03-21 00:34:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm.elf
Detection:MAL
Classification:mal60.troj.linELF@0/3@0/0
  • VT rate limit hit for: https://motd.ubuntu.comhe
Command:/tmp/arm.elf
PID:6230
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm.elf (PID: 6230, Parent: 6155, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm.elf
    • arm.elf New Fork (PID: 6233, Parent: 6230)
  • dash New Fork (PID: 6306, Parent: 4331)
  • rm (PID: 6306, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.O2BilyoeyQ /tmp/tmp.eYbtl9VSJr /tmp/tmp.z2cxVGnfhP
  • dash New Fork (PID: 6307, Parent: 4331)
  • rm (PID: 6307, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.O2BilyoeyQ /tmp/tmp.eYbtl9VSJr /tmp/tmp.z2cxVGnfhP
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
arm.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6233.1.00007fb834017000.00007fb83409b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6230.1.00007fb834017000.00007fb83409b000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: arm.elfVirustotal: Detection: 19%Perma Link
        Source: arm.elfReversingLabs: Detection: 13%
        Source: /tmp/arm.elf (PID: 6233)Socket: 127.0.0.1:22448Jump to behavior
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: arm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpString found in binary or memory: http://17365637265742070617373776F7264206D656D6F721/t/wget.sh
        Source: arm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpString found in binary or memory: https://motd.ubuntu.com
        Source: arm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpString found in binary or memory: https://motd.ubuntu.comhe
        Source: unknownNetwork traffic detected: HTTP traffic on port 39270 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 39270
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: /tmp/arm.elf (PID: 6230)SIGKILL sent: pid: 1 (init), result: successfulJump to behavior
        Source: /tmp/arm.elf (PID: 6230)SIGKILL sent: pid: 1335, result: successfulJump to behavior
        Source: /tmp/arm.elf (PID: 6230)SIGKILL sent: pid: 1872, result: successfulJump to behavior
        Source: classification engineClassification label: mal60.troj.linELF@0/3@0/0

        Persistence and Installation Behavior

        barindex
        Source: /tmp/arm.elf (PID: 6230)File: /proc/6230/mountsJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1582/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/3088/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/230/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/110/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/231/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/111/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/232/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1579/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/112/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/233/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1699/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/113/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/234/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1335/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1698/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/114/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/235/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1334/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1576/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/2302/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/115/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/236/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/116/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/237/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/117/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/118/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/910/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/119/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/912/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/10/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/2307/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/11/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/918/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/12/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/13/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/14/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/15/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/16/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/17/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/18/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1594/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/120/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/121/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1349/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1/mapsJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/122/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/243/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/123/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/2/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/124/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/3/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/4/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/125/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/126/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1344/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1465/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1586/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/127/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/6/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/248/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/128/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/249/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1463/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/800/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/9/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/801/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/20/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/21/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1900/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/22/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/23/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/24/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/25/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/26/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/27/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/28/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/29/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/491/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/250/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/130/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/251/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/252/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/132/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/253/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/254/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/255/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/4509/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/256/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1599/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/257/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1477/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/379/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/258/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1476/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/259/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1475/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/4501/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/936/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/30/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/2208/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/4506/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/35/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1809/cmdlineJump to behavior
        Source: /tmp/arm.elf (PID: 6230)File opened: /proc/1494/cmdlineJump to behavior
        Source: /usr/bin/dash (PID: 6306)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O2BilyoeyQ /tmp/tmp.eYbtl9VSJr /tmp/tmp.z2cxVGnfhPJump to behavior
        Source: /usr/bin/dash (PID: 6307)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.O2BilyoeyQ /tmp/tmp.eYbtl9VSJr /tmp/tmp.z2cxVGnfhPJump to behavior
        Source: /tmp/arm.elf (PID: 6230)Queries kernel information via 'uname': Jump to behavior
        Source: arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpBinary or memory string: vmwarem
        Source: arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpBinary or memory string: vmware
        Source: arm.elf, 6230.1.000055eac756a000.000055eac76da000.rw-.sdmp, arm.elf, 6233.1.000055eac756a000.000055eac76da000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
        Source: arm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpBinary or memory string: qemu-arm
        Source: arm.elf, 6230.1.00007ffc97731000.00007ffc97752000.rw-.sdmp, arm.elf, 6233.1.00007ffc97731000.00007ffc97752000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf
        Source: arm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpBinary or memory string: qemu-arm)Zm6vnZ5U4mf8vApyWcDwXR44ZAkzslsN)
        Source: arm.elf, 6230.1.000055eac756a000.000055eac76da000.rw-.sdmp, arm.elf, 6233.1.000055eac756a000.000055eac76da000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: arm.elf, 6230.1.00007ffc97731000.00007ffc97752000.rw-.sdmp, arm.elf, 6233.1.00007ffc97731000.00007ffc97752000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: arm.elf, 6230.1.00007ffc97731000.00007ffc97752000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.GaK5Mh:
        Source: arm.elf, 6230.1.00007ffc97731000.00007ffc97752000.rw-.sdmpBinary or memory string: /tmp/qemu-open.GaK5Mh
        Source: arm.elf, 6233.1.00007ffc97731000.00007ffc97752000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: arm.elf, type: SAMPLE
        Source: Yara matchFile source: 6233.1.00007fb834017000.00007fb83409b000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6230.1.00007fb834017000.00007fb83409b000.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: arm.elf, type: SAMPLE
        Source: Yara matchFile source: 6233.1.00007fb834017000.00007fb83409b000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6230.1.00007fb834017000.00007fb83409b000.r-x.sdmp, type: MEMORY
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
        File Deletion
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local System1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
        File and Directory Discovery
        Remote Desktop ProtocolData from Removable Media1
        Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644794 Sample: arm.elf Startdate: 21/03/2025 Architecture: LINUX Score: 60 16 109.202.202.202, 80 INIT7CH Switzerland 2->16 18 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->18 20 2 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Mirai 2->24 7 arm.elf 2->7         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 signatures5 26 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->26 14 arm.elf 7->14         started        process6
        SourceDetectionScannerLabelLink
        arm.elf19%VirustotalBrowse
        arm.elf14%ReversingLabsLinux.Trojan.Mirai
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://motd.ubuntu.comhe0%Avira URL Cloudsafe

        Download Network PCAP: filteredfull

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        https://motd.ubuntu.comarm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpfalse
          high
          https://motd.ubuntu.comhearm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://17365637265742070617373776F7264206D656D6F721/t/wget.sharm.elf, 6230.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmp, arm.elf, 6233.1.00007fb8340a7000.00007fb8340b2000.rw-.sdmpfalse
            high
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            34.249.145.219
            unknownUnited States
            16509AMAZON-02USfalse
            109.202.202.202
            unknownSwitzerland
            13030INIT7CHfalse
            91.189.91.43
            unknownUnited Kingdom
            41231CANONICAL-ASGBfalse
            91.189.91.42
            unknownUnited Kingdom
            41231CANONICAL-ASGBfalse
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            34.249.145.219na.elfGet hashmaliciousPrometeiBrowse
              linux_mipsel.elfGet hashmaliciousChaosBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    linux_mips64.elfGet hashmaliciousChaosBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            boatnet.mips.elfGet hashmaliciousMiraiBrowse
                              boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
                                  mips.elfGet hashmaliciousUnknownBrowse
                                    linux_386.elfGet hashmaliciousChaosBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        linux_mipsel.elfGet hashmaliciousChaosBrowse
                                          linux_arm7.elfGet hashmaliciousChaosBrowse
                                            linux_mips.elfGet hashmaliciousChaosBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                eehah4.elfGet hashmaliciousUnknownBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    91.189.91.42na.elfGet hashmaliciousPrometeiBrowse
                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                        linux_386.elfGet hashmaliciousChaosBrowse
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                            linux_mipsel.elfGet hashmaliciousChaosBrowse
                                                              linux_arm7.elfGet hashmaliciousChaosBrowse
                                                                linux_mips.elfGet hashmaliciousChaosBrowse
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                    eehah4.elfGet hashmaliciousUnknownBrowse
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                        No context
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        linux_386.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        linux_mipsel.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        linux_arm7.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        linux_mips.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        eehah4.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        linux_386.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        linux_mipsel.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        linux_arm7.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        linux_mips.elfGet hashmaliciousChaosBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        eehah4.elfGet hashmaliciousUnknownBrowse
                                                                        • 91.189.91.42
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 91.189.91.42
                                                                        INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                                                        • 109.202.202.202
                                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                                        • 109.202.202.202
                                                                        linux_386.elfGet hashmaliciousChaosBrowse
                                                                        • 109.202.202.202
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 109.202.202.202
                                                                        linux_mipsel.elfGet hashmaliciousChaosBrowse
                                                                        • 109.202.202.202
                                                                        linux_arm7.elfGet hashmaliciousChaosBrowse
                                                                        • 109.202.202.202
                                                                        linux_mips.elfGet hashmaliciousChaosBrowse
                                                                        • 109.202.202.202
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 109.202.202.202
                                                                        eehah4.elfGet hashmaliciousUnknownBrowse
                                                                        • 109.202.202.202
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 109.202.202.202
                                                                        AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                                        • 54.255.164.76
                                                                        Garmin GameOn - Installer.exeGet hashmaliciousUnknownBrowse
                                                                        • 13.226.34.91
                                                                        Garmin GameOn - Installer.exeGet hashmaliciousUnknownBrowse
                                                                        • 13.226.34.64
                                                                        linux_mipsel.elfGet hashmaliciousChaosBrowse
                                                                        • 34.249.145.219
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 54.255.164.76
                                                                        eehah4.elfGet hashmaliciousUnknownBrowse
                                                                        • 54.171.230.55
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 34.249.145.219
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                        • 54.171.230.55
                                                                        linux_mips64.elfGet hashmaliciousChaosBrowse
                                                                        • 34.249.145.219
                                                                        linux_arm5.elfGet hashmaliciousChaosBrowse
                                                                        • 54.171.230.55
                                                                        No context
                                                                        No context
                                                                        Process:/tmp/arm.elf
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):13
                                                                        Entropy (8bit):3.3927474104487847
                                                                        Encrypted:false
                                                                        SSDEEP:3:Tg7G:Tgy
                                                                        MD5:060C950602AE5DFAF583473721C0D328
                                                                        SHA1:91D13B439729088DC17F1E0519970D82C56F2B07
                                                                        SHA-256:F8D4586FDF6230A2D5F431EF44BABDF37F6D7CEDBB3560702B0DC8493DD44EE3
                                                                        SHA-512:000D50E0A5736B0AB3B1BF61F55911914808FA197365B10F61F24096E2959ADAC2C3FF0D9ED226AD99934093F9FDD1C7035A22EEB5091DF75402A0A26E7A84AC
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:/tmp/arm.elf.
                                                                        Process:/tmp/arm.elf
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):13
                                                                        Entropy (8bit):3.3927474104487847
                                                                        Encrypted:false
                                                                        SSDEEP:3:Tg7G:Tgy
                                                                        MD5:060C950602AE5DFAF583473721C0D328
                                                                        SHA1:91D13B439729088DC17F1E0519970D82C56F2B07
                                                                        SHA-256:F8D4586FDF6230A2D5F431EF44BABDF37F6D7CEDBB3560702B0DC8493DD44EE3
                                                                        SHA-512:000D50E0A5736B0AB3B1BF61F55911914808FA197365B10F61F24096E2959ADAC2C3FF0D9ED226AD99934093F9FDD1C7035A22EEB5091DF75402A0A26E7A84AC
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:/tmp/arm.elf.
                                                                        Process:/tmp/arm.elf
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):13
                                                                        Entropy (8bit):3.3927474104487847
                                                                        Encrypted:false
                                                                        SSDEEP:3:Tg7G:Tgy
                                                                        MD5:060C950602AE5DFAF583473721C0D328
                                                                        SHA1:91D13B439729088DC17F1E0519970D82C56F2B07
                                                                        SHA-256:F8D4586FDF6230A2D5F431EF44BABDF37F6D7CEDBB3560702B0DC8493DD44EE3
                                                                        SHA-512:000D50E0A5736B0AB3B1BF61F55911914808FA197365B10F61F24096E2959ADAC2C3FF0D9ED226AD99934093F9FDD1C7035A22EEB5091DF75402A0A26E7A84AC
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:/tmp/arm.elf.
                                                                        File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), dynamically linked, stripped
                                                                        Entropy (8bit):6.335133111119
                                                                        TrID:
                                                                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                        File name:arm.elf
                                                                        File size:556'108 bytes
                                                                        MD5:08e536f7f30cb7ddb5346e0015346222
                                                                        SHA1:6ccba637c8ee7820be537c4d14f35cf015d54453
                                                                        SHA256:5681f7a57356b2898d90618b5c3791e4ced8fc86fded06805c346615fd1dfac6
                                                                        SHA512:c75eae2407643fa11da2a35a53fb0ea3936d4bac443db2d9d0c7c3eab36780f5c8027d0a2a41792526512eae30fd199cb82429728ed0343c7d8c8afff2a7dc7d
                                                                        SSDEEP:12288:/LemydU+z4d61nZQcES3jNc/zuEBrUeruJbgD69PQjlMjVvxBhVF+:/LC1ZESHXxg4
                                                                        TLSH:96C44A55B8419B92C2C06BBBFF5D834873271778D2EEB0069C199B642AEFC1B0F76542
                                                                        File Content Preview:.ELF...a..........(.........4...lz......4. ...(......................?...?...............@...@...@...:....................................................-...L."...?...........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                                                        ELF header

                                                                        Class:ELF32
                                                                        Data:2's complement, little endian
                                                                        Version:1 (current)
                                                                        Machine:ARM
                                                                        Version Number:0x1
                                                                        Type:EXEC (Executable file)
                                                                        OS/ABI:ARM - ABI
                                                                        ABI Version:0
                                                                        Entry Point Address:0x8190
                                                                        Flags:0x202
                                                                        ELF Header Size:52
                                                                        Program Header Offset:52
                                                                        Program Header Size:32
                                                                        Number of Program Headers:3
                                                                        Section Header Offset:555628
                                                                        Section Header Size:40
                                                                        Number of Section Headers:12
                                                                        Header String Table Index:11
                                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                        NULL0x00x00x00x00x0000
                                                                        .initPROGBITS0x80940x940x180x00x6AX004
                                                                        .textPROGBITS0x80b00xb00x749340x00x6AX0016
                                                                        .finiPROGBITS0x7c9e40x749e40x140x00x6AX004
                                                                        .rodataPROGBITS0x7c9f80x749f80xf5240x00x2A004
                                                                        .ctorsPROGBITS0x940040x840040x80x00x3WA004
                                                                        .dtorsPROGBITS0x9400c0x8400c0x80x00x3WA004
                                                                        .data.rel.roPROGBITS0x940180x840180x35e80x00x3WA004
                                                                        .gotPROGBITS0x976000x876000x800x40x3WA004
                                                                        .dataPROGBITS0x976800x876800x39c0x00x3WA004
                                                                        .bssNOBITS0x97a1c0x87a1c0x6ef40x00x3WA004
                                                                        .shstrtabSTRTAB0x00x87a1c0x500x00x0001
                                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                        LOAD0x00x80000x80000x83f1c0x83f1c6.36280x5R E0x8000.init .text .fini .rodata
                                                                        LOAD0x840040x940040x940040x3a180xa90c4.16180x6RW 0x8000.ctors .dtors .data.rel.ro .got .data .bss
                                                                        DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

                                                                        Download Network PCAP: filteredfull

                                                                        • Total Packets: 11
                                                                        • 443 (HTTPS)
                                                                        • 80 (HTTP)
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 21, 2025 00:35:06.060213089 CET43928443192.168.2.2391.189.91.42
                                                                        Mar 21, 2025 00:35:11.691323996 CET42836443192.168.2.2391.189.91.43
                                                                        Mar 21, 2025 00:35:12.459201097 CET4251680192.168.2.23109.202.202.202
                                                                        Mar 21, 2025 00:35:24.556324959 CET39270443192.168.2.2334.249.145.219
                                                                        Mar 21, 2025 00:35:24.556421995 CET4433927034.249.145.219192.168.2.23
                                                                        Mar 21, 2025 00:35:24.556708097 CET39270443192.168.2.2334.249.145.219
                                                                        Mar 21, 2025 00:35:24.557578087 CET39270443192.168.2.2334.249.145.219
                                                                        Mar 21, 2025 00:35:24.557617903 CET4433927034.249.145.219192.168.2.23
                                                                        Mar 21, 2025 00:35:27.561508894 CET43928443192.168.2.2391.189.91.42
                                                                        Mar 21, 2025 00:35:37.800031900 CET42836443192.168.2.2391.189.91.43
                                                                        Mar 21, 2025 00:35:41.895418882 CET4251680192.168.2.23109.202.202.202
                                                                        Mar 21, 2025 00:36:08.516223907 CET43928443192.168.2.2391.189.91.42
                                                                        Mar 21, 2025 00:36:24.549712896 CET39270443192.168.2.2334.249.145.219
                                                                        Mar 21, 2025 00:36:24.592406988 CET4433927034.249.145.219192.168.2.23
                                                                        Mar 21, 2025 00:37:14.050019979 CET4433927034.249.145.219192.168.2.23

                                                                        System Behavior

                                                                        Start time (UTC):23:35:10
                                                                        Start date (UTC):20/03/2025
                                                                        Path:/tmp/arm.elf
                                                                        Arguments:-
                                                                        File size:4956856 bytes
                                                                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                                        Start time (UTC):23:36:24
                                                                        Start date (UTC):20/03/2025
                                                                        Path:/usr/bin/dash
                                                                        Arguments:-
                                                                        File size:129816 bytes
                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                        Start time (UTC):23:36:24
                                                                        Start date (UTC):20/03/2025
                                                                        Path:/usr/bin/rm
                                                                        Arguments:rm -f /tmp/tmp.O2BilyoeyQ /tmp/tmp.eYbtl9VSJr /tmp/tmp.z2cxVGnfhP
                                                                        File size:72056 bytes
                                                                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                        Start time (UTC):23:36:24
                                                                        Start date (UTC):20/03/2025
                                                                        Path:/usr/bin/dash
                                                                        Arguments:-
                                                                        File size:129816 bytes
                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                        Start time (UTC):23:36:24
                                                                        Start date (UTC):20/03/2025
                                                                        Path:/usr/bin/rm
                                                                        Arguments:rm -f /tmp/tmp.O2BilyoeyQ /tmp/tmp.eYbtl9VSJr /tmp/tmp.z2cxVGnfhP
                                                                        File size:72056 bytes
                                                                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b