Edit tour

Linux Analysis Report
x86_64.elf

Overview

General Information

Sample name:	x86_64.elf
Analysis ID:	1648820
MD5:	e0c5cc0f56bbf5e42ea4c897696231e0
SHA1:	d0f7d6a70d8cc1d4dc7aed4d229e073bb2c8cc75
SHA256:	74d859cb45c7c3b604f15f1151b4bc247a0acc2c6852feca5abfbd9c7a912a74
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sends malformed DNS queries

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1648820
Start date and time:	2025-03-26 08:39:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	x86_64.elf
Detection:	MAL
Classification:	mal56.troj.evad.linELF@0/1@29/0

Runtime Messages

Command:	/tmp/x86_64.elf
PID:	5437
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	skidmark botnet
Standard Error:

Process Tree

system is lnxubuntu20

x86_64.elf (PID: 5437, Parent: 5359, MD5: e0c5cc0f56bbf5e42ea4c897696231e0) Arguments: /tmp/x86_64.elf

x86_64.elf New Fork (PID: 5438, Parent: 5437)

x86_64.elf New Fork (PID: 5439, Parent: 5438)

x86_64.elf New Fork (PID: 5440, Parent: 5438)

x86_64.elf New Fork (PID: 5441, Parent: 5438)

dash New Fork (PID: 5444, Parent: 3582)

rm (PID: 5444, Parent: 3582, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.lacvsLv5BI /tmp/tmp.1XICa3hV7v /tmp/tmp.1RnJZEoQb5

dash New Fork (PID: 5445, Parent: 3582)

rm (PID: 5445, Parent: 3582, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.lacvsLv5BI /tmp/tmp.1XICa3hV7v /tmp/tmp.1RnJZEoQb5

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: x86_64.elf	Virustotal: Detection: 7%			Perma Link
Source: x86_64.elf	ReversingLabs: Detection: 19%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: solarwhale.dyn. [malformed]

Source: /tmp/x86_64.elf (PID: 5437)

Socket: 127.0.0.1:47845

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.13:54636 -> 34.254.182.186:443

Source: unknown	TCP traffic detected without corresponding DNS query: 34.254.182.186
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	TCP traffic detected without corresponding DNS query: 175.30.53.20
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 94.16.114.254
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown	UDP traffic detected without corresponding DNS query: 178.254.22.166

Source: global traffic	DNS traffic detected: DNS query: echohorizon.dyn
Source: global traffic	DNS traffic detected: DNS query: solarwhale.dyn. [malformed]

Source: x86_64.elf

String found in binary or memory: http://upx.sf.net

Source: unknown

Network traffic detected: HTTP traffic on port 54636 -> 443

Source: LOAD without section mappings

Program segment: 0x400000

Source: /tmp/x86_64.elf (PID: 5440)

SIGKILL sent: pid: 3686, result: successful

Jump to behavior

Source: classification engine

Classification label: mal56.troj.evad.linELF@0/1@29/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 5.00 Copyright (C) 1996-2025 the UPX Team. All Rights Reserved. $

Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/5383/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/5278/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/3646/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/x86_64.elf (PID: 5440)	File opened: /proc/3777/cmdline	Jump to behavior

Source: /usr/bin/dash (PID: 5444)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.lacvsLv5BI /tmp/tmp.1XICa3hV7v /tmp/tmp.1RnJZEoQb5			Jump to behavior
Source: /usr/bin/dash (PID: 5445)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.lacvsLv5BI /tmp/tmp.1XICa3hV7v /tmp/tmp.1RnJZEoQb5			Jump to behavior

Source: x86_64.elf	Submission file: segment LOAD with 7.8076 entropy (max. 8.0)
Source: x86_64.elf	Submission file: segment LOAD with 7.9783 entropy (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86_64.elf	8%	Virustotal		Browse
x86_64.elf	19%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
echohorizon.dyn	unknown	unknown	false		high
solarwhale.dyn. [malformed]	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	x86_64.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
175.30.53.20	unknown	China		4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
34.254.182.186	unknown	United States		16509	AMAZON-02US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
175.30.53.20	i686.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	x86.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	gjsoX84ZOy.elf	Get hash	malicious	Mirai	Browse
	skwXrj6q72.elf	Get hash	malicious	Unknown	Browse
	VqY324s7TO.elf	Get hash	malicious	Unknown	Browse
34.254.182.186	morte.arm5.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	ppc.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse
	tarm5.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	Inquiry Purchase Order 25.03.2025.js	Get hash	malicious	FormBook	Browse	13.248.169.48
	CEKA RFQ IND18042128.xls.vbs	Get hash	malicious	FormBook	Browse	52.217.163.218
	https://bafkreid3spujifazpolzpws2zk5tjxpdvw52r5kyca5fumyn5avau4pzsa.ipfs.dweb.link/#ixxx@dhl.com	Get hash	malicious	HTMLPhisher	Browse	176.32.108.185
	E1AcRCtgSA.exe	Get hash	malicious	Unknown	Browse	18.238.49.124
	https://tracking.vocus.io/link?id=9f3c0089-0991-4e0a-8d31-6f4ff071a629&url=https%3A%2F%2Fbusinessappealsupport-suite.com#user_email=llinos.coe@dentsu.com&fname=Llinos&lname=Coe	Get hash	malicious	Unknown	Browse	54.187.103.82
	i686.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	34.243.160.129
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
CHINANET-BACKBONENo31Jin-rongStreetCN	i686.elf	Get hash	malicious	Unknown	Browse	175.30.53.20
	arm7.elf	Get hash	malicious	Unknown	Browse	175.30.53.20
	x86.elf	Get hash	malicious	Unknown	Browse	175.30.53.20
	https://energy-innovation-4916.my.salesforce-sites.com/enr	Get hash	malicious	HTMLPhisher	Browse	63.140.39.248
	https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://tucansport.com/sample-page/&ved=2ahUKEwjQ8uXI8KWMAxXnRzABHZNPGggQFnoECBcQAQ&usg=AOvVaw0aeev5ilte-Y3jh1kJeCpR	Get hash	malicious	Unknown	Browse	63.140.38.112
	http://hak5.com	Get hash	malicious	Unknown	Browse	63.140.39.22
	arm.elf	Get hash	malicious	Gafgyt, Okiru	Browse	183.144.215.77
	ppc.elf	Get hash	malicious	Okiru	Browse	114.220.169.100
	mips.elf	Get hash	malicious	Gafgyt, Okiru	Browse	171.93.227.232
	m68k.elf	Get hash	malicious	Gafgyt, Okiru	Browse	222.209.183.103

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/memfd:upX (deleted)

Download File

Process:	/tmp/x86_64.elf
File Type:	Unknown
Category:	dropped
Size (bytes):	5673
Entropy (8bit):	6.428779669660604
Encrypted:	false
SSDEEP:	96:e5Lp6hF8/EcH6J3XOUyshRjClY55kyUx7P2EbfOlDhS+dY64At7S1TBIa+tej72S:eX6hvJ3XOUygRClq5kyUxaVXFaLF
MD5:	BD2B3E20445C1B065DCB4B93520D62AC
SHA1:	A68FBE63EEDB549D1ACCFF7D5BB10D60C67A9513
SHA-256:	580DCE9DB5ECC5A899681755E0DF79E4FE4A57FB062207338F067F2D6D7DDD91
SHA-512:	64A402E3E53D9F87C5C1799959013A328A9DD8D7248599FE32A6CAB0229A7520E9DA6C4C68DC38A08DF0B2F32ECA001F3ACA45CF30ABEADE5F738C6F8E3A8199
Malicious:	false
Reputation:	low
Preview:	............L.m0L.....E.H...E0.u.H......H..j.Y.H.H.>.H.u.I...E0.u.H.H.>.H.u.I..H..H.>.H.H.u.I..I..I)..E0.t....I...rWH.=....)..}.....^.....jYX....y.W^j.X..I.}....H.t...H..... =I.>H...L..H).H...I.w...1....H).I..H....H.H.g..K.L&._^H...AXD.....H..I).M..H......H...z...H........H.D$.I......L.......L........x.M).A..j.Yj.Z.....)..F........._^j.XA.&H.......QH9.L.G.H.J.s.......t...H...t.A...H..I....H....H.W.H).X.UH..SH..H..(H.>.......H.t$......H.......D$..T$...u...UPX!u.H.;...........u...........9.w..H;M.w.9.H.u.s3H.{.H.T$.H.L$.H.........u.D$.H9D$.u..D$.H.C.H)...H.....H........T$.H.E.H.U.H).H..H.E..J...H..([].H..APtP@...uJE1.1.H..A..L9.u...H.W...H...u.I...!H..u...u.M..t.M..I.P.........6...H....^.ATA..I...S..E1.H......H......H...D..L..A....2....H..L..H....H......[A\.AWAVI..AUATUSH.....L.w H...T$TH.\|$`H.t$XH.L$HL.D$@H.D$h....H.D$8......W.t3I.8H.G@H+xHf...u.H.x...H.\|$8H.p(H..>H.D$h.f....,...f...H.T$`.....A.....H.D$0....L..D.D.I...E1...j8D.T$.....D.T$.H....x@.;.u3H.S(H..t*H.C.L9.L.B

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.97602673075889
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	x86_64.elf
File size:	30'052 bytes
MD5:	e0c5cc0f56bbf5e42ea4c897696231e0
SHA1:	d0f7d6a70d8cc1d4dc7aed4d229e073bb2c8cc75
SHA256:	74d859cb45c7c3b604f15f1151b4bc247a0acc2c6852feca5abfbd9c7a912a74
SHA512:	4c834b08e6c93374f3a1558384cc43e81d770bda8a49fcb6793828f9fd4ef90f02c335ec39e1c06600c45bbdf0d36e414eb10193d47fe116b8f22b0b8e00d948
SSDEEP:	768:t2yyVbNJ7xXAV5SvLbOAdY/DO7SIMJ4T+G8L1MOrCW:rgbruVEHdYDHxJnv+W
TLSH:	5ED2E0D97FB50B1BC82B91725D8D8B14FB29058BEE14550D0E8BE28D301BA61B352FDE
File Content Preview:	.ELF..............>......c`.....@...................@.8...........................@.......@...............................................`.......`.....bt......bt..............Q.td........................................................UPX!...............

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x6063d0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	0
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x1000	0x110e08	7.8076	0x6	RW	0x100000
LOAD	0x0	0x600000	0x600000	0x7462	0x7462	7.9783	0x5	R E	0x100000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 54
• 443 (HTTPS)
• 53 (DNS)
• 23 (Telnet)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 08:39:51.392297029 CET	54636	443	192.168.2.13	34.254.182.186
Mar 26, 2025 08:39:53.190143108 CET	44456	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:39:54.208240986 CET	44456	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:39:56.224234104 CET	44456	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:00.352236986 CET	44456	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:03.570426941 CET	44458	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:04.576452971 CET	44458	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:06.596230984 CET	44458	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:10.848283052 CET	44458	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:14.448143005 CET	44460	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:15.456248045 CET	44460	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:17.472376108 CET	44460	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:21.600275993 CET	44460	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:49.480556965 CET	44462	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:50.496279001 CET	44462	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:52.512285948 CET	44462	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:40:56.672272921 CET	44462	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:00.401113033 CET	44464	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:01.408292055 CET	44464	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:03.424491882 CET	44464	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:07.680298090 CET	44464	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:35.432969093 CET	44466	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:36.448329926 CET	44466	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:38.464391947 CET	44466	23	192.168.2.13	175.30.53.20
Mar 26, 2025 08:41:42.496345043 CET	44466	23	192.168.2.13	175.30.53.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 08:39:52.649507999 CET	46603	53	192.168.2.13	134.195.4.2
Mar 26, 2025 08:39:52.758764982 CET	53	46603	134.195.4.2	192.168.2.13
Mar 26, 2025 08:39:52.770158052 CET	42344	53	192.168.2.13	134.195.4.2
Mar 26, 2025 08:39:52.880680084 CET	53	42344	134.195.4.2	192.168.2.13
Mar 26, 2025 08:39:52.883649111 CET	33772	53	192.168.2.13	134.195.4.2
Mar 26, 2025 08:39:52.984123945 CET	53	33772	134.195.4.2	192.168.2.13
Mar 26, 2025 08:39:52.986552000 CET	55103	53	192.168.2.13	134.195.4.2
Mar 26, 2025 08:39:53.086424112 CET	53	55103	134.195.4.2	192.168.2.13
Mar 26, 2025 08:39:53.088944912 CET	57222	53	192.168.2.13	134.195.4.2
Mar 26, 2025 08:39:53.188935041 CET	53	57222	134.195.4.2	192.168.2.13
Mar 26, 2025 08:40:03.392976046 CET	34809	53	192.168.2.13	51.158.108.203
Mar 26, 2025 08:40:03.569886923 CET	53	34809	51.158.108.203	192.168.2.13
Mar 26, 2025 08:40:13.581722975 CET	37417	53	192.168.2.13	195.10.195.195
Mar 26, 2025 08:40:13.751852989 CET	53	37417	195.10.195.195	192.168.2.13
Mar 26, 2025 08:40:13.752598047 CET	46662	53	192.168.2.13	195.10.195.195
Mar 26, 2025 08:40:13.923856020 CET	53	46662	195.10.195.195	192.168.2.13
Mar 26, 2025 08:40:13.929987907 CET	59157	53	192.168.2.13	195.10.195.195
Mar 26, 2025 08:40:14.101495028 CET	53	59157	195.10.195.195	192.168.2.13
Mar 26, 2025 08:40:14.102416039 CET	55769	53	192.168.2.13	195.10.195.195
Mar 26, 2025 08:40:14.277589083 CET	53	55769	195.10.195.195	192.168.2.13
Mar 26, 2025 08:40:14.278347969 CET	34348	53	192.168.2.13	195.10.195.195
Mar 26, 2025 08:40:14.447653055 CET	53	34348	195.10.195.195	192.168.2.13
Mar 26, 2025 08:40:24.460546017 CET	39514	53	192.168.2.13	94.16.114.254
Mar 26, 2025 08:40:29.463186026 CET	34835	53	192.168.2.13	94.16.114.254
Mar 26, 2025 08:40:34.469377995 CET	60530	53	192.168.2.13	94.16.114.254
Mar 26, 2025 08:40:39.472834110 CET	54223	53	192.168.2.13	94.16.114.254
Mar 26, 2025 08:40:44.477444887 CET	42883	53	192.168.2.13	94.16.114.254
Mar 26, 2025 08:40:59.492213964 CET	34597	53	192.168.2.13	81.169.136.222
Mar 26, 2025 08:40:59.675957918 CET	53	34597	81.169.136.222	192.168.2.13
Mar 26, 2025 08:40:59.676903963 CET	49385	53	192.168.2.13	81.169.136.222
Mar 26, 2025 08:40:59.852637053 CET	53	49385	81.169.136.222	192.168.2.13
Mar 26, 2025 08:40:59.853662014 CET	57073	53	192.168.2.13	81.169.136.222
Mar 26, 2025 08:41:00.041307926 CET	53	57073	81.169.136.222	192.168.2.13
Mar 26, 2025 08:41:00.042505026 CET	43517	53	192.168.2.13	81.169.136.222
Mar 26, 2025 08:41:00.217753887 CET	53	43517	81.169.136.222	192.168.2.13
Mar 26, 2025 08:41:00.219156027 CET	58995	53	192.168.2.13	81.169.136.222
Mar 26, 2025 08:41:00.400163889 CET	53	58995	81.169.136.222	192.168.2.13
Mar 26, 2025 08:41:10.412321091 CET	39003	53	192.168.2.13	51.254.162.59
Mar 26, 2025 08:41:15.418194056 CET	44155	53	192.168.2.13	51.254.162.59
Mar 26, 2025 08:41:20.421107054 CET	35726	53	192.168.2.13	51.254.162.59
Mar 26, 2025 08:41:25.425604105 CET	44759	53	192.168.2.13	51.254.162.59
Mar 26, 2025 08:41:30.429544926 CET	44193	53	192.168.2.13	51.254.162.59
Mar 26, 2025 08:41:45.441391945 CET	55327	53	192.168.2.13	178.254.22.166
Mar 26, 2025 08:41:50.445851088 CET	45231	53	192.168.2.13	178.254.22.166
Mar 26, 2025 08:41:55.449186087 CET	43554	53	192.168.2.13	178.254.22.166

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 26, 2025 08:39:52.649507999 CET	192.168.2.13	134.195.4.2	0xf5a2	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:52.770158052 CET	192.168.2.13	134.195.4.2	0xf5a2	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:52.883649111 CET	192.168.2.13	134.195.4.2	0xf5a2	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:52.986552000 CET	192.168.2.13	134.195.4.2	0xf5a2	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:53.088944912 CET	192.168.2.13	134.195.4.2	0xf5a2	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:03.392976046 CET	192.168.2.13	51.158.108.203	0xbba4	Standard query (0)	solarwhale.dyn. [malformed]	256	339	false
Mar 26, 2025 08:40:13.581722975 CET	192.168.2.13	195.10.195.195	0xc24c	Standard query (0)	solarwhale.dyn. [malformed]	256	349	false
Mar 26, 2025 08:40:13.752598047 CET	192.168.2.13	195.10.195.195	0xc24c	Standard query (0)	solarwhale.dyn. [malformed]	256	349	false
Mar 26, 2025 08:40:13.929987907 CET	192.168.2.13	195.10.195.195	0xc24c	Standard query (0)	solarwhale.dyn. [malformed]	256	350	false
Mar 26, 2025 08:40:14.102416039 CET	192.168.2.13	195.10.195.195	0xc24c	Standard query (0)	solarwhale.dyn. [malformed]	256	350	false
Mar 26, 2025 08:40:14.278347969 CET	192.168.2.13	195.10.195.195	0xc24c	Standard query (0)	solarwhale.dyn. [malformed]	256	350	false
Mar 26, 2025 08:40:24.460546017 CET	192.168.2.13	94.16.114.254	0xa323	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:29.463186026 CET	192.168.2.13	94.16.114.254	0xa323	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:34.469377995 CET	192.168.2.13	94.16.114.254	0xa323	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:39.472834110 CET	192.168.2.13	94.16.114.254	0xa323	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:44.477444887 CET	192.168.2.13	94.16.114.254	0xa323	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:59.492213964 CET	192.168.2.13	81.169.136.222	0xcc37	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:59.676903963 CET	192.168.2.13	81.169.136.222	0xcc37	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:59.853662014 CET	192.168.2.13	81.169.136.222	0xcc37	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:00.042505026 CET	192.168.2.13	81.169.136.222	0xcc37	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:00.219156027 CET	192.168.2.13	81.169.136.222	0xcc37	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:10.412321091 CET	192.168.2.13	51.254.162.59	0x1204	Standard query (0)	solarwhale.dyn. [malformed]	256	411	false
Mar 26, 2025 08:41:15.418194056 CET	192.168.2.13	51.254.162.59	0x1204	Standard query (0)	solarwhale.dyn. [malformed]	256	416	false
Mar 26, 2025 08:41:20.421107054 CET	192.168.2.13	51.254.162.59	0x1204	Standard query (0)	solarwhale.dyn. [malformed]	256	421	false
Mar 26, 2025 08:41:25.425604105 CET	192.168.2.13	51.254.162.59	0x1204	Standard query (0)	solarwhale.dyn. [malformed]	256	426	false
Mar 26, 2025 08:41:30.429544926 CET	192.168.2.13	51.254.162.59	0x1204	Standard query (0)	solarwhale.dyn. [malformed]	256	431	false
Mar 26, 2025 08:41:45.441391945 CET	192.168.2.13	178.254.22.166	0xc25a	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:50.445851088 CET	192.168.2.13	178.254.22.166	0xc25a	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:55.449186087 CET	192.168.2.13	178.254.22.166	0xc25a	Standard query (0)	echohorizon.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 26, 2025 08:39:52.758764982 CET	134.195.4.2	192.168.2.13	0xf5a2	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:52.880680084 CET	134.195.4.2	192.168.2.13	0xf5a2	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:52.984123945 CET	134.195.4.2	192.168.2.13	0xf5a2	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:53.086424112 CET	134.195.4.2	192.168.2.13	0xf5a2	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:39:53.188935041 CET	134.195.4.2	192.168.2.13	0xf5a2	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:03.569886923 CET	51.158.108.203	192.168.2.13	0xbba4	Format error (1)	solarwhale.dyn. [malformed]	none	none	256	339	false
Mar 26, 2025 08:40:59.675957918 CET	81.169.136.222	192.168.2.13	0xcc37	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:40:59.852637053 CET	81.169.136.222	192.168.2.13	0xcc37	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:00.041307926 CET	81.169.136.222	192.168.2.13	0xcc37	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:00.217753887 CET	81.169.136.222	192.168.2.13	0xcc37	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false
Mar 26, 2025 08:41:00.400163889 CET	81.169.136.222	192.168.2.13	0xcc37	Format error (1)	echohorizon.dyn	none	none	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: x86_64.elf PID: 5437, Parent PID: 5359

General

Start time (UTC):	07:39:51
Start date (UTC):	26/03/2025
Path:	/tmp/x86_64.elf
Arguments:	/tmp/x86_64.elf
File size:	30052 bytes
MD5 hash:	e0c5cc0f56bbf5e42ea4c897696231e0

File Activities

File Opened

File Truncated

File Written

Process Activities

Process Forked

Prctl Requested

Network Activities

Socket Listening

Chronological Activities

Analysis Process: x86_64.elf PID: 5438, Parent PID: 5437

General

Start time (UTC):	07:39:51
Start date (UTC):	26/03/2025
Path:	/tmp/x86_64.elf
Arguments:	-
File size:	30052 bytes
MD5 hash:	e0c5cc0f56bbf5e42ea4c897696231e0

Process Activities

Process Forked

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: x86_64.elf PID: 5439, Parent PID: 5438

General

Start time (UTC):	07:39:51
Start date (UTC):	26/03/2025
Path:	/tmp/x86_64.elf
Arguments:	-
File size:	30052 bytes
MD5 hash:	e0c5cc0f56bbf5e42ea4c897696231e0

File Activities

File Opened

File Read

Directory Enumerated

Process Activities

Thread Sleep

Chronological Activities

Analysis Process: x86_64.elf PID: 5440, Parent PID: 5438

General

Start time (UTC):	07:39:51
Start date (UTC):	26/03/2025
Path:	/tmp/x86_64.elf
Arguments:	-
File size:	30052 bytes
MD5 hash:	e0c5cc0f56bbf5e42ea4c897696231e0

File Activities

File Opened

File Read

Directory Enumerated

Process Activities

Signal Sent

Thread Sleep

Chronological Activities

Analysis Process: x86_64.elf PID: 5441, Parent PID: 5438

General

Start time (UTC):	07:39:51
Start date (UTC):	26/03/2025
Path:	/tmp/x86_64.elf
Arguments:	-
File size:	30052 bytes
MD5 hash:	e0c5cc0f56bbf5e42ea4c897696231e0

File Activities

File Opened

Directory Enumerated

Process Activities

Thread Sleep

Chronological Activities

Analysis Process: dash PID: 5444, Parent PID: 3582

General

Start time (UTC):	07:39:54
Start date (UTC):	26/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5444, Parent PID: 3582

General

Start time (UTC):	07:39:54
Start date (UTC):	26/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.lacvsLv5BI /tmp/tmp.1XICa3hV7v /tmp/tmp.1RnJZEoQb5
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 5445, Parent PID: 3582

General

Start time (UTC):	07:39:54
Start date (UTC):	26/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5445, Parent PID: 3582

General

Start time (UTC):	07:39:54
Start date (UTC):	26/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.lacvsLv5BI /tmp/tmp.1XICa3hV7v /tmp/tmp.1RnJZEoQb5
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86_64.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/memfd:upX (deleted)

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: x86_64.elf PID: 5437, Parent PID: 5359

General

File Activities

File Opened

File Truncated

File Written

Process Activities

Process Forked

Prctl Requested

Network Activities

Socket Listening

Chronological Activities

Analysis Process: x86_64.elf PID: 5438, Parent PID: 5437

General

Process Activities

Process Forked

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: x86_64.elf PID: 5439, Parent PID: 5438

General

File Activities

Linux Analysis Report
x86_64.elf