Linux Analysis Report
efefa7.elf

Overview

General Information

Sample name:	efefa7.elf
Analysis ID:	1649551
MD5:	7680ab1d5888a665c5d5a1c4be985cd0
SHA1:	6db351e9f2eabb37f8c6b5efbe8dd913340e01ea
SHA256:	a5e3e7a27988bb59e06e7fddd223c803a939a4af9403a0e7f94f1fd35072a3d8
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Manipulation of devices in /dev

Sample deletes itself

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes the "rm" command used to delete files or directories

Found strings indicative of a multi-platform dropper

Sample and/or dropped files contains symbols with suspicious names

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: efefa7.elf

ReversingLabs: Detection: 30%

Source: unknown	HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.168.2.23:33608 -> 54.171.230.55:443 version: TLS 1.2

Found strings indicative of a multi-platform dropper

Source: efefa7.elf

String: /lib/systemd//usr/lib/systemd/system/system/bin//gm/bin//home/process//home/helper/home/davinci/z/bin//mnt/mtd//tmp/sqfs//usr/libexec//usr/sbin//z/zbin//usr/bin/bin//tmp/var/mnt/root/boot/home/dev/media/opt/../(deleted)x86armmipsmpslsh4wgetcurllynxftpftpgettftpscpaflaaarsyncpfclamscanreadelfizsnapstracelsofgdbpmapltraceptracewiresharktsharktcpdumpnetstatssnmaphping3tracerouteiptablesnftfirewalldauditctlselinuxapparmoraptdnfyumzypperpacmanemergebrewportnanovimvinvimgeditkateemacspkillkillallkillsystemctlservicenohuppythonpython3perlrubyluanodebashshkshzshfishvolatilitychkrootkitrkhunterradare2binwalkdockerpodmanlxcqemuvirshvboxmanagemountumountdfdulsblkblkidmkfsfdiskpartedobjdumpstringsxxdhexdumpncnetcatsocatjournalctldmesglogcattaillessgrepawksedtmux%s/%s/data/local/tmp/sbin/dev/null/dev/console/var/lib/dockerkworker/u8:0raw.awaken-network.net/proc/self/cmdline/proc/%d/statusName:-

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: raw.awaken-network.net. [malformed]

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.23:50618 -> 141.98.10.142:7733

Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: global traffic	DNS traffic detected: DNS query: raw.awaken-network.net
Source: global traffic	DNS traffic detected: DNS query: raw.awaken-network.net. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.168.2.23:33608 -> 54.171.230.55:443 version: TLS 1.2

Sample and/or dropped files contains symbols with suspicious names

Source: efefa7.elf

ELF static info symbol of initial sample: __gnu_unwind_execute

Sample tries to kill a process (SIGKILL)

Source: /tmp/efefa7.elf (PID: 6216)

SIGKILL sent: pid: 777, result: successful

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.linELF@0/4@6/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/efefa7.elf (PID: 6220)

Deleted: /dev/null

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/66/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/66/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/66/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/44/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/44444/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111114/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/111/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/333/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/33333/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/fd	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/777/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/1111/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/2222/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/3333/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/5555/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/4444/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/999/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/999/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/999/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/6666/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/7777/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/8888/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/9999/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/33/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/33/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/33/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/99/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/99/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/99/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/99/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/66666/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/22222/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222226/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/222/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/888/maps	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/888/cmdline	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/888/stat	Jump to behavior
Source: /tmp/efefa7.elf (PID: 6216)	File opened: /proc/11111/maps	Jump to behavior

Executes the "rm" command used to delete files or directories

Source: /usr/bin/dash (PID: 6222)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FO5ZfineMZ /tmp/tmp.v0FO74aAEU /tmp/tmp.XjvKqPdygn			Jump to behavior
Source: /usr/bin/dash (PID: 6231)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FO5ZfineMZ /tmp/tmp.v0FO74aAEU /tmp/tmp.XjvKqPdygn			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/efefa7.elf (PID: 6214)

File: /tmp/efefa7.elf

Jump to behavior

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/efefa7.elf (PID: 6212)

Queries kernel information via 'uname':

Jump to behavior

Source: efefa7.elf	Binary or memory string: /lib/systemd//usr/lib/systemd/system/system/bin//gm/bin//home/process//home/helper/home/davinci/z/bin//mnt/mtd//tmp/sqfs//usr/libexec//usr/sbin//z/zbin//usr/bin/bin//tmp/var/mnt/root/boot/home/dev/media/opt/../(deleted)x86armmipsmpslsh4wgetcurllynxftpftpgettftpscpaflaaarsyncpfclamscanreadelfizsnapstracelsofgdbpmapltraceptracewiresharktsharktcpdumpnetstatssnmaphping3tracerouteiptablesnftfirewalldauditctlselinuxapparmoraptdnfyumzypperpacmanemergebrewportnanovimvinvimgeditkateemacspkillkillallkillsystemctlservicenohuppythonpython3perlrubyluanodebashshkshzshfishvolatilitychkrootkitrkhunterradare2binwalkdockerpodmanlxcqemuvirshvboxmanagemountumountdfdulsblkblkidmkfsfdiskpartedobjdumpstringsxxdhexdumpncnetcatsocatjournalctldmesglogcattaillessgrepawksedtmux%s/%s/data/local/tmp/sbin/dev/null/dev/console/var/lib/dockerkworker/u8:0raw.awaken-network.net/proc/self/cmdline/proc/%d/statusName:-
Source: efefa7.elf, 6212.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.KGNrcW
Source: efefa7.elf, 6212.1.000056330cfea000.000056330d13c000.rw-.sdmp, efefa7.elf, 6214.1.000056330cfea000.000056330d118000.rw-.sdmp, efefa7.elf, 6216.1.000056330cfea000.000056330d118000.rw-.sdmp	Binary or memory string: 3V!/etc/qemu-binfmt/arm
Source: efefa7.elf, 6212.1.000056330cfea000.000056330d13c000.rw-.sdmp, efefa7.elf, 6214.1.000056330cfea000.000056330d118000.rw-.sdmp, efefa7.elf, 6216.1.000056330cfea000.000056330d118000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: efefa7.elf, 6212.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp, efefa7.elf, 6214.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp, efefa7.elf, 6216.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: efefa7.elf, 6212.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp	Binary or memory string: 3V/tmp/qemu-open.KGNrcW:
Source: efefa7.elf, 6214.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: efefa7.elf, 6212.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp, efefa7.elf, 6214.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp, efefa7.elf, 6216.1.00007fff06e6b000.00007fff06e8c000.rw-.sdmp	Binary or memory string: Qx86_64/usr/bin/qemu-arm/tmp/efefa7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/efefa7.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: efefa7.elf, type: SAMPLE

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: efefa7.elf, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
141.98.10.142	raw.awaken-network.net	Lithuania	209605	HOSTBALTICLT	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Contacted Domains

Name	IP	Active
raw.awaken-network.net	141.98.10.142	true
raw.awaken-network.net. [malformed]	unknown	unknown

ID:	1649551
Product:	CloudBasic
Start time:	22:13:18
Start date:	26.03.2025
Sample:	efefa7.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	7680ab1d5888a665c5d5a1c4be985cd0
SHA1:	6db351e9f2eabb37f8c6b5efbe8dd913340e01ea
SHA256:	a5e3e7a27988bb59e06e7fddd223c803a939a4af9403a0e7f94f1fd35072a3d8
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Name	Type	MD5	SHA1	SHA256
/proc/6212/task/6212/comm	very short file (no magic)	336D5EBC5436534E61D16E63DDFCA327	3BC15C8AAE3E4124DD409035F32EA2FD6835EFC9	3973E022E93220F9212C18D0D0C543AE7C309E46640DA93A4A0314DE999F5112
/tmp/qemu-open.Cip1DW (deleted)	ASCII text	FA3D1A0BE47444BB359231FDAC84DF6A	F3FE065CD5EA9465B50FAF8ACC1AF7F1961178AE	2B305CC5A0FB59B5AE58FBD52617A0BAD685C79A86B0BDB5E96EB5A100E93DF7
/tmp/qemu-open.KGNrcW (deleted)	data	EC608269EB51935C1BD57E560756D790	25CE2E55C68C344EF44C1327EBC20DD7FC9D73C2	9E28DB3920A17F3CE14B9B2772D0634993104041DF6FE97588F57034B398B447
/tmp/qemu-open.TPu1FT (deleted)	ASCII text, with no line terminators	589797A87BF61303AAA9E3616F70E255	9D1369A64705687FAE31A21BFB1112B0F95E12D9	77A0343B744561B1386F5FC9FF8AF8E6E2108D866221BAE0E92459DEEDB0D164

Linux Analysis Report
efefa7.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report efefa7.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
efefa7.elf

Malware Threat Intel
Provided by