Edit tour

Linux Analysis Report
sh4.elf

Overview

General Information

Sample name:sh4.elf
Analysis ID:1646546
MD5:cf215cbbe7ae4255e7fa42b9983bb43c
SHA1:64e1d45eb229e9443551ceecaaf9ba9beb95a3e6
SHA256:68df6f19fbf637b4b9f384f78460e75070e047ebc46f45fd8d4efd9b64b873b5
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1646546
Start date and time:2025-03-24 05:23:47 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sh4.elf
Detection:MAL
Classification:mal52.troj.linELF@0/3@0/0
Command:/tmp/sh4.elf
PID:6250
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • sh4.elf (PID: 6250, Parent: 6171, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.elf
    • sh4.elf New Fork (PID: 6253, Parent: 6250)
  • dash New Fork (PID: 6326, Parent: 4332)
  • rm (PID: 6326, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.EkMbrYKkZ7 /tmp/tmp.3pghXFkHAk /tmp/tmp.A1Mym6EFhW
  • dash New Fork (PID: 6327, Parent: 4332)
  • rm (PID: 6327, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.EkMbrYKkZ7 /tmp/tmp.3pghXFkHAk /tmp/tmp.A1Mym6EFhW
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: sh4.elfReversingLabs: Detection: 19%
Source: /tmp/sh4.elf (PID: 6253)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: sh4.elf, 6250.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmp, sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpString found in binary or memory: https://motd.ubuntu.com
Source: sh4.elf, 6250.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmp, sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpString found in binary or memory: https://motd.ubuntu.comhe
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 39248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 39248
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/3@0/0

Persistence and Installation Behavior

barindex
Source: /tmp/sh4.elf (PID: 6250)File: /proc/6250/mountsJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/6230/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/6231/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1582/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/3088/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1579/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1699/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1335/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1698/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1334/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1576/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/2302/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/910/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/912/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/2307/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/918/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1594/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1349/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1344/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1465/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1586/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1463/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/801/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1900/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/491/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/252/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/253/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/254/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/255/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/256/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1599/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/257/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1477/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/379/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1476/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/1475/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/4500/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/936/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/4503/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/30/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/2208/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/4506/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 6250)File opened: /proc/35/cmdlineJump to behavior
Source: /usr/bin/dash (PID: 6326)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.EkMbrYKkZ7 /tmp/tmp.3pghXFkHAk /tmp/tmp.A1Mym6EFhWJump to behavior
Source: /usr/bin/dash (PID: 6327)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.EkMbrYKkZ7 /tmp/tmp.3pghXFkHAk /tmp/tmp.A1Mym6EFhWJump to behavior
Source: /tmp/sh4.elf (PID: 6250)Queries kernel information via 'uname': Jump to behavior
Source: sh4.elf, 6253.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: exed the wor!/qemu-open.XXXXX
Source: sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpBinary or memory string: vmware
Source: sh4.elf, 6250.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: zzU/tmp/qemu-open.MpcMkO\
Source: sh4.elf, 6250.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmp, sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpBinary or memory string: qemu-arm
Source: sh4.elf, 6250.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmp, sh4.elf, 6253.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: /qemu-open.XXXXX
Source: sh4.elf, 6250.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmp, sh4.elf, 6253.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: sh4.elf, 6250.1.0000557a7e1d8000.0000557a7e280000.rw-.sdmp, sh4.elf, 6253.1.0000557a7e1d8000.0000557a7e280000.rw-.sdmpBinary or memory string: ~zU5!/etc/qemu-binfmt/sh4
Source: sh4.elf, 6250.1.0000557a7e1d8000.0000557a7e280000.rw-.sdmp, sh4.elf, 6253.1.0000557a7e1d8000.0000557a7e280000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.elf, 6250.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: /tmp/qemu-open.MpcMkO
Source: sh4.elf, 6250.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmp, sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpBinary or memory string: B!!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!1aFwAWFlpG2QBW0gJTwAA1!qemu-arm2QBW0gJTwAA!
Source: sh4.elf, 6250.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmp, sh4.elf, 6253.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.elf
Source: sh4.elf, 6253.1.00007ffd7cb8b000.00007ffd7cbac000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646546 Sample: sh4.elf Startdate: 24/03/2025 Architecture: LINUX Score: 52 16 109.202.202.202, 80 INIT7CH Switzerland 2->16 18 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->18 20 2 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 sh4.elf 2->7         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 signatures5 24 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->24 14 sh4.elf 7->14         started        process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
sh4.elf19%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://motd.ubuntu.comsh4.elf, 6250.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmp, sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpfalse
    high
    https://motd.ubuntu.comhesh4.elf, 6250.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmp, sh4.elf, 6253.1.00007fcdb0428000.00007fcdb042e000.rw-.sdmpfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      34.249.145.219
      unknownUnited States
      16509AMAZON-02USfalse
      109.202.202.202
      unknownSwitzerland
      13030INIT7CHfalse
      91.189.91.43
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      91.189.91.42
      unknownUnited Kingdom
      41231CANONICAL-ASGBfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      34.249.145.219ppc.elfGet hashmaliciousUnknownBrowse
        gigab.x86.elfGet hashmaliciousUnknownBrowse
          arm7.elfGet hashmaliciousUnknownBrowse
            aarch64.elfGet hashmaliciousMiraiBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  arc.elfGet hashmaliciousMiraiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        m68k.elfGet hashmaliciousMiraiBrowse
                          109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                          • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                          91.189.91.43morte.arm5.elfGet hashmaliciousOkiruBrowse
                            arm6.elfGet hashmaliciousUnknownBrowse
                              morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                                  arm7.elfGet hashmaliciousMiraiBrowse
                                    gigab.x86.elfGet hashmaliciousUnknownBrowse
                                      morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                        arm7.elfGet hashmaliciousUnknownBrowse
                                          morte.arm6.elfGet hashmaliciousGafgyt, OkiruBrowse
                                            aarch64.elfGet hashmaliciousMiraiBrowse
                                              91.189.91.42ppc.elfGet hashmaliciousUnknownBrowse
                                                morte.arm5.elfGet hashmaliciousOkiruBrowse
                                                  arm6.elfGet hashmaliciousUnknownBrowse
                                                    morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                      morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                        arm7.elfGet hashmaliciousMiraiBrowse
                                                          gigab.x86.elfGet hashmaliciousUnknownBrowse
                                                            morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                              arm7.elfGet hashmaliciousUnknownBrowse
                                                                morte.arm6.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  No context
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  CANONICAL-ASGBppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 185.125.190.26
                                                                  morte.arm5.elfGet hashmaliciousOkiruBrowse
                                                                  • 91.189.91.42
                                                                  arm6.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 91.189.91.42
                                                                  morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 91.189.91.42
                                                                  arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  gigab.x86.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  morte.x86.elfGet hashmaliciousOkiruBrowse
                                                                  • 185.125.190.26
                                                                  morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 91.189.91.42
                                                                  CANONICAL-ASGBppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 185.125.190.26
                                                                  morte.arm5.elfGet hashmaliciousOkiruBrowse
                                                                  • 91.189.91.42
                                                                  arm6.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 91.189.91.42
                                                                  morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 91.189.91.42
                                                                  arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 91.189.91.42
                                                                  gigab.x86.elfGet hashmaliciousUnknownBrowse
                                                                  • 91.189.91.42
                                                                  morte.x86.elfGet hashmaliciousOkiruBrowse
                                                                  • 185.125.190.26
                                                                  morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 91.189.91.42
                                                                  INIT7CHppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 109.202.202.202
                                                                  morte.arm5.elfGet hashmaliciousOkiruBrowse
                                                                  • 109.202.202.202
                                                                  arm6.elfGet hashmaliciousUnknownBrowse
                                                                  • 109.202.202.202
                                                                  morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 109.202.202.202
                                                                  morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 109.202.202.202
                                                                  arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 109.202.202.202
                                                                  gigab.x86.elfGet hashmaliciousUnknownBrowse
                                                                  • 109.202.202.202
                                                                  morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 109.202.202.202
                                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                                  • 109.202.202.202
                                                                  morte.arm6.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 109.202.202.202
                                                                  AMAZON-02USppc.elfGet hashmaliciousUnknownBrowse
                                                                  • 34.249.145.219
                                                                  https://waimao-north-star-mail.qiye.163.com/api/j/html?c=https%3A%2F%2F1drv.ms%2Fo%2Fs!AjlMaeoI5pi7f_GXm50IY_RD-sw%3Fe%3DEsmwj4%3Fcid%3Dsite_nqmm3LQS7c9jn-2FWvVcVpMl0NsyUA8yUApYElnaeUm2Ly_xlUzBpbEuLGet hashmaliciousUnknownBrowse
                                                                  • 52.38.253.137
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 52.43.119.120
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 34.243.160.129
                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 54.171.230.55
                                                                  arc.elfGet hashmaliciousMiraiBrowse
                                                                  • 34.254.182.186
                                                                  #U0440#U043e#U0431#U043b#U043e#U043a#U0441.exeGet hashmaliciousNjratBrowse
                                                                  • 18.197.239.5
                                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                                  • 52.43.119.120
                                                                  gigab.x86.elfGet hashmaliciousUnknownBrowse
                                                                  • 34.249.145.219
                                                                  morte.mips.elfGet hashmaliciousGafgyt, OkiruBrowse
                                                                  • 54.171.230.55
                                                                  No context
                                                                  No context
                                                                  Process:/tmp/sh4.elf
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):13
                                                                  Entropy (8bit):3.5465935642949384
                                                                  Encrypted:false
                                                                  SSDEEP:3:TgKYn:TgKYn
                                                                  MD5:AEF4020327A62D78F5A8202D453B0A74
                                                                  SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
                                                                  SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
                                                                  SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:/tmp/sh4.elf.
                                                                  Process:/tmp/sh4.elf
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):13
                                                                  Entropy (8bit):3.5465935642949384
                                                                  Encrypted:false
                                                                  SSDEEP:3:TgKYn:TgKYn
                                                                  MD5:AEF4020327A62D78F5A8202D453B0A74
                                                                  SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
                                                                  SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
                                                                  SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:/tmp/sh4.elf.
                                                                  Process:/tmp/sh4.elf
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):13
                                                                  Entropy (8bit):3.5465935642949384
                                                                  Encrypted:false
                                                                  SSDEEP:3:TgKYn:TgKYn
                                                                  MD5:AEF4020327A62D78F5A8202D453B0A74
                                                                  SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
                                                                  SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
                                                                  SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
                                                                  Malicious:false
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:/tmp/sh4.elf.
                                                                  File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                                                                  Entropy (8bit):6.863927027247861
                                                                  TrID:
                                                                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                  File name:sh4.elf
                                                                  File size:95'064 bytes
                                                                  MD5:cf215cbbe7ae4255e7fa42b9983bb43c
                                                                  SHA1:64e1d45eb229e9443551ceecaaf9ba9beb95a3e6
                                                                  SHA256:68df6f19fbf637b4b9f384f78460e75070e047ebc46f45fd8d4efd9b64b873b5
                                                                  SHA512:5b3c102981c055016d665835326cfcd9aa74423fb3d96f1f34d9629a670f2e6d19d1d40db984e30eba3a9c13f690244aa667340947babb465a26e5822a121e28
                                                                  SSDEEP:1536:rhINQKog4uaIjw6UGTFaR3AbHCo8WZylzK1KnnTnjr:VgUOjw6Ua9b7KnTnn
                                                                  TLSH:C6939E22E8642D84CC2669F5F0B4DB794B016DA140931DB998EED17440A3FDCF98EFAC
                                                                  File Content Preview:.ELF..............*.......@.4....q......4. ...(...............@...@..j...j...............p...pB..pB.....TI..........Q.td..............................././"O.n......#.*@........#.*@.L..&O.n.l..................................././.../.a"O.!...n...a.b("...q.

                                                                  ELF header

                                                                  Class:ELF32
                                                                  Data:2's complement, little endian
                                                                  Version:1 (current)
                                                                  Machine:<unknown>
                                                                  Version Number:0x1
                                                                  Type:EXEC (Executable file)
                                                                  OS/ABI:UNIX - System V
                                                                  ABI Version:0
                                                                  Entry Point Address:0x4001a0
                                                                  Flags:0xc
                                                                  ELF Header Size:52
                                                                  Program Header Offset:52
                                                                  Program Header Size:32
                                                                  Number of Program Headers:3
                                                                  Section Header Offset:94664
                                                                  Section Header Size:40
                                                                  Number of Section Headers:10
                                                                  Header String Table Index:9
                                                                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                  NULL0x00x00x00x00x0000
                                                                  .initPROGBITS0x4000940x940x2e0x00x6AX004
                                                                  .textPROGBITS0x4000e00xe00x14ce00x00x6AX0032
                                                                  .finiPROGBITS0x414dc00x14dc00x220x00x6AX004
                                                                  .rodataPROGBITS0x414de40x14de40x1c200x00x2A004
                                                                  .ctorsPROGBITS0x4270dc0x170dc0x80x00x3WA004
                                                                  .dtorsPROGBITS0x4270e40x170e40x80x00x3WA004
                                                                  .dataPROGBITS0x4270f00x170f00x980x00x3WA004
                                                                  .bssNOBITS0x4271880x171880x48a80x00x3WA004
                                                                  .shstrtabSTRTAB0x00x171880x3e0x00x0001
                                                                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                  LOAD0x00x4000000x4000000x16a040x16a046.94910x5R E0x10000.init .text .fini .rodata
                                                                  LOAD0x170dc0x4270dc0x4270dc0xac0x49544.09780x6RW 0x10000.ctors .dtors .data .bss
                                                                  GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                                  Download Network PCAP: filteredfull

                                                                  • Total Packets: 11
                                                                  • 443 (HTTPS)
                                                                  • 80 (HTTP)
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Mar 24, 2025 05:24:36.371484995 CET43928443192.168.2.2391.189.91.42
                                                                  Mar 24, 2025 05:24:42.002549887 CET42836443192.168.2.2391.189.91.43
                                                                  Mar 24, 2025 05:24:42.770452976 CET4251680192.168.2.23109.202.202.202
                                                                  Mar 24, 2025 05:24:55.473830938 CET39248443192.168.2.2334.249.145.219
                                                                  Mar 24, 2025 05:24:55.473879099 CET4433924834.249.145.219192.168.2.23
                                                                  Mar 24, 2025 05:24:55.474029064 CET39248443192.168.2.2334.249.145.219
                                                                  Mar 24, 2025 05:24:55.474267960 CET39248443192.168.2.2334.249.145.219
                                                                  Mar 24, 2025 05:24:55.474284887 CET4433924834.249.145.219192.168.2.23
                                                                  Mar 24, 2025 05:24:58.128567934 CET43928443192.168.2.2391.189.91.42
                                                                  Mar 24, 2025 05:25:08.367189884 CET42836443192.168.2.2391.189.91.43
                                                                  Mar 24, 2025 05:25:12.462613106 CET4251680192.168.2.23109.202.202.202
                                                                  Mar 24, 2025 05:25:39.083029032 CET43928443192.168.2.2391.189.91.42
                                                                  Mar 24, 2025 05:25:55.466717958 CET39248443192.168.2.2334.249.145.219
                                                                  Mar 24, 2025 05:25:55.512331963 CET4433924834.249.145.219192.168.2.23
                                                                  Mar 24, 2025 05:26:43.761889935 CET4433924834.249.145.219192.168.2.23

                                                                  System Behavior

                                                                  Start time (UTC):04:24:39
                                                                  Start date (UTC):24/03/2025
                                                                  Path:/tmp/sh4.elf
                                                                  Arguments:-
                                                                  File size:4139976 bytes
                                                                  MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                                                  Start time (UTC):04:25:54
                                                                  Start date (UTC):24/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):04:25:54
                                                                  Start date (UTC):24/03/2025
                                                                  Path:/usr/bin/rm
                                                                  Arguments:rm -f /tmp/tmp.EkMbrYKkZ7 /tmp/tmp.3pghXFkHAk /tmp/tmp.A1Mym6EFhW
                                                                  File size:72056 bytes
                                                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                  Start time (UTC):04:25:54
                                                                  Start date (UTC):24/03/2025
                                                                  Path:/usr/bin/dash
                                                                  Arguments:-
                                                                  File size:129816 bytes
                                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                  Start time (UTC):04:25:54
                                                                  Start date (UTC):24/03/2025
                                                                  Path:/usr/bin/rm
                                                                  Arguments:rm -f /tmp/tmp.EkMbrYKkZ7 /tmp/tmp.3pghXFkHAk /tmp/tmp.A1Mym6EFhW
                                                                  File size:72056 bytes
                                                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b