Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1649597
MD5:1366046eea2f7c5e8c97ee5478ad3747
SHA1:b0eeb664debd2e4e6049835a31494df16feda31a
SHA256:78cf5e1ece9e37590bc15aac032cc0b86c0f27bf714b558e2dd0b07ada3e4c10
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649597
Start date and time:2025-03-26 23:33:14 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal52.troj.linELF@0/4@2/0

Runtime Messages

Command:/tmp/arm6.elf
PID:5453
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5431, Parent: 3590)
  • rm (PID: 5431, Parent: 3590, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.dBoW6v3ENU /tmp/tmp.UDv5kuaFmQ /tmp/tmp.t7RK1uWwSK
  • dash New Fork (PID: 5432, Parent: 3590)
  • cat (PID: 5432, Parent: 3590, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.dBoW6v3ENU
  • dash New Fork (PID: 5433, Parent: 3590)
  • head (PID: 5433, Parent: 3590, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5434, Parent: 3590)
  • tr (PID: 5434, Parent: 3590, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5435, Parent: 3590)
  • cut (PID: 5435, Parent: 3590, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5437, Parent: 3590)
  • cat (PID: 5437, Parent: 3590, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.dBoW6v3ENU
  • dash New Fork (PID: 5438, Parent: 3590)
  • head (PID: 5438, Parent: 3590, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5439, Parent: 3590)
  • tr (PID: 5439, Parent: 3590, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5440, Parent: 3590)
  • cut (PID: 5440, Parent: 3590, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5441, Parent: 3590)
  • rm (PID: 5441, Parent: 3590, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.dBoW6v3ENU /tmp/tmp.UDv5kuaFmQ /tmp/tmp.t7RK1uWwSK
  • arm6.elf (PID: 5453, Parent: 5348, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
    • arm6.elf New Fork (PID: 5456, Parent: 5453)
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm6.elfVirustotal: Detection: 22%Perma Link
Source: arm6.elfReversingLabs: Detection: 19%
Source: /tmp/arm6.elf (PID: 5456)Socket: 127.0.0.1:22448Jump to behavior
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/4@2/0

Persistence and Installation Behavior

barindex
Source: /tmp/arm6.elf (PID: 5453)File: /proc/5453/mountsJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/5265/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/5265/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/5265/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3639/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3639/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3639/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/238/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/239/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/914/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/917/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3651/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3095/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/241/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1/mapsJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1588/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/800/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1906/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/802/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/803/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3420/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5453)File opened: /proc/3420/cmdlineJump to behavior
Source: /usr/bin/dash (PID: 5431)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dBoW6v3ENU /tmp/tmp.UDv5kuaFmQ /tmp/tmp.t7RK1uWwSKJump to behavior
Source: /usr/bin/dash (PID: 5441)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dBoW6v3ENU /tmp/tmp.UDv5kuaFmQ /tmp/tmp.t7RK1uWwSKJump to behavior
Source: /tmp/arm6.elf (PID: 5453)Queries kernel information via 'uname': Jump to behavior
Source: arm6.elf, 5456.1.00007ffa9803c000.00007ffa98043000.rw-.sdmpBinary or memory string: vmware
Source: arm6.elf, 5453.1.000055d06ca91000.000055d06cbff000.rw-.sdmp, arm6.elf, 5456.1.000055d06ca91000.000055d06cbdf000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: arm6.elf, 5453.1.00007ffa9803c000.00007ffa98043000.rw-.sdmp, arm6.elf, 5456.1.00007ffa9803c000.00007ffa98043000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm6.elf, 5456.1.00007fffb223b000.00007fffb225c000.rw-.sdmpBinary or memory string: Uqemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 5453.1.00007fffb223b000.00007fffb225c000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.h9Bllx:U
Source: arm6.elf, 5453.1.000055d06ca91000.000055d06cbff000.rw-.sdmp, arm6.elf, 5456.1.000055d06ca91000.000055d06cbdf000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm6.elf, 5453.1.00007fffb223b000.00007fffb225c000.rw-.sdmp, arm6.elf, 5456.1.00007fffb223b000.00007fffb225c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm6.elf, 5453.1.00007fffb223b000.00007fffb225c000.rw-.sdmp, arm6.elf, 5456.1.00007fffb223b000.00007fffb225c000.rw-.sdmpBinary or memory string: Hx86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
Source: arm6.elf, 5453.1.00007fffb223b000.00007fffb225c000.rw-.sdmpBinary or memory string: /tmp/qemu-open.h9Bllx
Source: arm6.elf, 5456.1.00007fffb223b000.00007fffb225c000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 5453.1.00007ffa9803c000.00007ffa98043000.rw-.sdmp, arm6.elf, 5456.1.00007ffa9803c000.00007ffa98043000.rw-.sdmpBinary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649597 Sample: arm6.elf Startdate: 26/03/2025 Architecture: LINUX Score: 52 18 daisy.ubuntu.com 2->18 20 Multi AV Scanner detection for submitted file 2->20 7 dash rm arm6.elf 2->7         started        10 dash rm 2->10         started        12 dash cat 2->12         started        14 7 other processes 2->14 signatures3 process4 signatures5 22 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->22 16 arm6.elf 7->16         started        process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
arm6.elf23%VirustotalBrowse
arm6.elf19%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comsh4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    eehah4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    W3vOaER1Rg.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    efea6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    vejfa5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    efefa7.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    jfeeps.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    arm6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    rjfe686.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    Process:/tmp/arm6.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:Tgj03:Tgw3
    MD5:3F57B2990E079DDED19A289B2C2D9845
    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm6.elf.
    Process:/tmp/arm6.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:Tgj03:Tgw3
    MD5:3F57B2990E079DDED19A289B2C2D9845
    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm6.elf.
    Process:/tmp/arm6.elf
    File Type:ASCII text
    Category:dropped
    Size (bytes):355
    Entropy (8bit):3.8269759440615907
    Encrypted:false
    SSDEEP:6:G2XCY/VUC/FY2XLKWiY/V/3VVyAb/rVmsVot/VOArB/VH:AC/FLKW1VIAbyl
    MD5:1ABF4BF90B9AAA549CEB284CFAE00B95
    SHA1:C2A6A6B3E96EA72BD506BEB2B5C7987DD520645F
    SHA-256:093D59112581AC7D36EEFC6C165AFC1B530AAE548A2E0D76291363E2F078DE72
    SHA-512:EBAF05273A446487D1B50DC080E35762777DF6B585D1E31A67AD73D8DDC9DF2C5B768E9BDAE5BC58193FB27A11972BDDAACEA867665AF978A3C7556F74670030
    Malicious:false
    Reputation:low
    Preview:8000-24000 r-xp 00000000 fd:00 531601 /tmp/arm6.elf.2c000-2d000 rw-p 0001c000 fd:00 531601 /tmp/arm6.elf.2d000-34000 rw-p 00000000 00:00 0 .ff7ee000-ff7ef000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.ff7ef000-ff7f0000 ---p 00000000 00:00 0 .ff7f0000-ffff0000 rw-p 00000000 00:00 0 [stack].
    Process:/tmp/arm6.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:Tgj03:Tgw3
    MD5:3F57B2990E079DDED19A289B2C2D9845
    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm6.elf.

    Static File Info

    General

    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, stripped
    Entropy (8bit):6.053423330058362
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:arm6.elf
    File size:115'520 bytes
    MD5:1366046eea2f7c5e8c97ee5478ad3747
    SHA1:b0eeb664debd2e4e6049835a31494df16feda31a
    SHA256:78cf5e1ece9e37590bc15aac032cc0b86c0f27bf714b558e2dd0b07ada3e4c10
    SHA512:cec32b1e14aac94ecf994fdb7312be1e2326ee99f7c0e44ce4e67dd29ce62929236e450995809652efdd1d7c9bb101f3fa1dda15ffb22cd1d78b8610e845dc91
    SSDEEP:3072:B0hpxkITrf7nEUt4aSeFRKL2RuBRb6GNsOt1zSnd:B0hpiIDnEUt4azYcIRbhNT1c
    TLSH:6FB3E899B8409F66C6D116BFFE5E928D33231BB8E3DA3106DD156F2037CA95A0E3B441
    File Content Preview:.ELF..............(.....l...4...8.......4. ...(..............7...7......................................................................|I...........................................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x816c
    Flags:0x4000002
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:4
    Section Header Offset:115000
    Section Header Size:40
    Number of Section Headers:13
    Header String Table Index:12

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x80b40xb40x140x00x6AX001
    .textPROGBITS0x80c80xc80x19bac0x00x6AX004
    .finiPROGBITS0x21c740x19c740x140x00x6AX001
    .rodataPROGBITS0x21c880x19c880x1a800x00x2A004
    .ARM.exidxARM_EXIDX0x237080x1b7080xc80x00x82AL204
    .eh_framePROGBITS0x2c0000x1c0000x40x00x3WA004
    .init_arrayINIT_ARRAY0x2c0040x1c0040x40x00x3WA004
    .fini_arrayFINI_ARRAY0x2c0080x1c0080x40x00x3WA004
    .gotPROGBITS0x2c0100x1c0100x280x40x3WA004
    .dataPROGBITS0x2c0380x1c0380x9c0x00x3WA004
    .bssNOBITS0x2c0d80x1c0d40x48a40x00x3WA008
    .shstrtabSTRTAB0x00x1c0d40x620x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    DYNAMIC0x1b7080x237080x237080xc80xc84.26560x4R 0x4.ARM.exidx
    LOAD0x00x80000x80000x1b7d00x1b7d06.12680x5R E0x8000.init .text .fini .rodata .ARM.exidx
    LOAD0x1c0000x2c0000x2c0000xd40x497c3.59510x6RW 0x8000.eh_frame .init_array .fini_array .got .data .bss
    DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

    Network Behavior

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Mar 26, 2025 23:34:09.192338943 CET5783253192.168.2.138.8.8.8
    Mar 26, 2025 23:34:09.192418098 CET4666853192.168.2.138.8.8.8
    Mar 26, 2025 23:34:09.277407885 CET53466688.8.8.8192.168.2.13
    Mar 26, 2025 23:34:09.277436972 CET53578328.8.8.8192.168.2.13

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Mar 26, 2025 23:34:09.192338943 CET192.168.2.138.8.8.80x53d5Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Mar 26, 2025 23:34:09.192418098 CET192.168.2.138.8.8.80x1254Standard query (0)daisy.ubuntu.com28IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Mar 26, 2025 23:34:09.277436972 CET8.8.8.8192.168.2.130x53d5No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Mar 26, 2025 23:34:09.277436972 CET8.8.8.8192.168.2.130x53d5No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/rm
    Arguments:rm -f /tmp/tmp.dBoW6v3ENU /tmp/tmp.UDv5kuaFmQ /tmp/tmp.t7RK1uWwSK
    File size:72056 bytes
    MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/cat
    Arguments:cat /tmp/tmp.dBoW6v3ENU
    File size:43416 bytes
    MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/head
    Arguments:head -n 10
    File size:47480 bytes
    MD5 hash:fd96a67145172477dd57131396fc9608

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/tr
    Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
    File size:51544 bytes
    MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/cut
    Arguments:cut -c -80
    File size:47480 bytes
    MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/cat
    Arguments:cat /tmp/tmp.dBoW6v3ENU
    File size:43416 bytes
    MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/head
    Arguments:head -n 10
    File size:47480 bytes
    MD5 hash:fd96a67145172477dd57131396fc9608

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/tr
    Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
    File size:51544 bytes
    MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

    File Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:58
    Start date (UTC):26/03/2025
    Path:/usr/bin/cut
    Arguments:cut -c -80
    File size:47480 bytes
    MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

    File Activities


    General

    Start time (UTC):22:33:59
    Start date (UTC):26/03/2025
    Path:/usr/bin/dash
    Arguments:-
    File size:129816 bytes
    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

    Process Activities


    General

    Start time (UTC):22:33:59
    Start date (UTC):26/03/2025
    Path:/usr/bin/rm
    Arguments:rm -f /tmp/tmp.dBoW6v3ENU /tmp/tmp.UDv5kuaFmQ /tmp/tmp.t7RK1uWwSK
    File size:72056 bytes
    MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

    File Activities


    General

    Start time (UTC):22:34:04
    Start date (UTC):26/03/2025
    Path:/tmp/arm6.elf
    Arguments:/tmp/arm6.elf
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

    File Activities

    Process Activities

    System Activities

    Network Activities


    General

    Start time (UTC):22:34:06
    Start date (UTC):26/03/2025
    Path:/tmp/arm6.elf
    Arguments:-
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

    File Activities

    Process Activities

    Network Activities