Edit tour

Linux Analysis Report
ppc.elf

Overview

General Information

Sample name:	ppc.elf
Analysis ID:	1649605
MD5:	c824fa5ad8c06656ff213f840a5a2706
SHA1:	727a9060993ca8d82b6a9a6d5d13e66164cf4265
SHA256:	8903fe9cf6c0a39b21500c9379b7f6c2c16a1ae62215a38d73be579674fe8b63
Tags:	elfuser-abuse_ch
Infos:

Errors No or unstable Internet during analysis

Detection

Score:	52
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Connects to many ports of the same IP (likely port scanning)

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1649605
Start date and time:	2025-03-26 23:41:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	ppc.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/2@0/0

Errors

No or unstable Internet during analysis

Warnings

Excluded IPs from analysis (whitelisted): 8.8.8.8

Runtime Messages

Command:	/tmp/ppc.elf
PID:	5569
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	For God so loved the world
Standard Error:

Process Tree

system is lnxubuntu20

ppc.elf (PID: 5569, Parent: 5486, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/ppc.elf

ppc.elf New Fork (PID: 5571, Parent: 5569)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ppc.elf

ReversingLabs: Detection: 13%

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 104.245.241.64 ports 2,26141,5,6,9,52962
Source: global traffic	TCP traffic: 216.73.156.19 ports 29486,2,4,6,8,9
Source: global traffic	TCP traffic: 154.205.155.243 ports 35086,0,54780,4,5,7,8
Source: global traffic	TCP traffic: 156.244.14.93 ports 50749,2,5,6,9,52962,6958
Source: global traffic	TCP traffic: 104.245.241.61 ports 44859,40217,0,1,2,4,7
Source: global traffic	TCP traffic: 154.205.155.97 ports 56190,45229,2,4,5,9

Source: global traffic	TCP traffic: 192.168.2.14:55882 -> 154.205.155.97:45229
Source: global traffic	TCP traffic: 192.168.2.14:38264 -> 104.245.241.61:40217
Source: global traffic	TCP traffic: 192.168.2.14:48962 -> 154.205.155.243:54780
Source: global traffic	TCP traffic: 192.168.2.14:53446 -> 104.245.241.64:52962
Source: global traffic	TCP traffic: 192.168.2.14:47470 -> 156.244.14.93:52962
Source: global traffic	TCP traffic: 192.168.2.14:43034 -> 216.73.156.19:29486

Source: /tmp/ppc.elf (PID: 5571)

Socket: 127.0.0.1:22448

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.97
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.155.243
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.64
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.64
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.64
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.64
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.64
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.64
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 104.245.241.61
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93
Source: unknown	TCP traffic detected without corresponding DNS query: 156.244.14.93

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/2@0/0

Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3761/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3873/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3758/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3094/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1/maps	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/135/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/1371/cmdline	Jump to behavior
Source: /tmp/ppc.elf (PID: 5569)	File opened: /proc/260/cmdline	Jump to behavior

Source: /tmp/ppc.elf (PID: 5569)

Queries kernel information via 'uname':

Jump to behavior

Source: ppc.elf, 5569.1.00007ffc6bfb8000.00007ffc6bfd9000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.xuSLyg
Source: ppc.elf, 5569.1.00007f576c024000.00007f576c02a000.rw-.sdmp	Binary or memory string: vmwarep
Source: ppc.elf, 5569.1.000056388ca66000.000056388cb16000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: ppc.elf, 5569.1.00007f576c024000.00007f576c02a000.rw-.sdmp	Binary or memory string: vmware
Source: ppc.elf, 5569.1.00007ffc6bfb8000.00007ffc6bfd9000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ppc.elf
Source: ppc.elf, 5569.1.000056388ca66000.000056388cb16000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: ppc.elf, 5569.1.00007ffc6bfb8000.00007ffc6bfd9000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc
Source: ppc.elf, 5569.1.00007ffc6bfb8000.00007ffc6bfd9000.rw-.sdmp	Binary or memory string: %s/qemu-op
Source: ppc.elf, 5569.1.00007ffc6bfb8000.00007ffc6bfd9000.rw-.sdmp	Binary or memory string: 8V/tmp/qemu-open.xuSLyg\$?cX
Source: ppc.elf, 5569.1.00007ffc6bfb8000.00007ffc6bfd9000.rw-.sdmp	Binary or memory string: MPDIR%s/qemu-op
Source: ppc.elf, 5569.1.00007f576c024000.00007f576c02a000.rw-.sdmp	Binary or memory string: !qemu-arm
Source: ppc.elf, 5569.1.00007f576c024000.00007f576c02a000.rw-.sdmp	Binary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ppc.elf	14%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.245.241.64	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
154.205.155.243	unknown	Seychelles	26484	IKGUL-26484US	true
216.73.156.19	unknown	United States	7029	WINDSTREAMUS	true
156.244.14.93	unknown	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	true
104.245.241.61	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
154.205.155.97	unknown	Seychelles	26484	IKGUL-26484US	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.245.241.64	mpsl.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
154.205.155.243	mips.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CXE.14004.27270.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
216.73.156.19	arm.elf	Get hash	malicious	Unknown	Browse
	kmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
156.244.14.93	arm.elf	Get hash	malicious	Unknown	Browse
	kmips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
104.245.241.61	kmips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
154.205.155.97	sh4.elf	Get hash	malicious	Unknown	Browse
	kmips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm7.elf	Get hash	malicious	Unknown	Browse
	arm6.elf	Get hash	malicious	Unknown	Browse
	nimips.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IKGUL-26484US	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	156.238.135.139
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	156.251.85.203
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	156.251.85.209
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	156.251.85.206
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	156.249.132.40
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	156.238.135.154
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	156.238.135.196
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	156.238.135.163
	sh4.elf	Get hash	malicious	Unknown	Browse	154.205.155.97
	mips.elf	Get hash	malicious	Gafgyt, Okiru	Browse	156.233.94.73
POWERLINE-AS-APPOWERLINEDATACENTERHK	arm.elf	Get hash	malicious	Unknown	Browse	156.244.14.93
	UuhANT$345432.exe	Get hash	malicious	FormBook	Browse	202.165.121.125
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	156.251.7.178
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	156.242.206.58
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	156.251.3.5
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	156.242.206.57
	aarch64.elf	Get hash	malicious	Unknown	Browse	156.244.45.113
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	156.251.7.175
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	156.242.206.23
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	156.244.234.131
WINDSTREAMUS	arm.elf	Get hash	malicious	Unknown	Browse	216.73.156.19
	g4za.x86	Get hash	malicious	Unknown	Browse	155.212.88.182
	frosty.sh4.elf	Get hash	malicious	Unknown	Browse	65.23.29.97
	arm7.elf	Get hash	malicious	Okiru	Browse	173.185.229.87
	SecuriteInfo.com.Win64.MalwareX-gen.18746.5044.dll	Get hash	malicious	Unknown	Browse	64.52.80.252
	kmips.elf	Get hash	malicious	Unknown	Browse	216.73.156.19
	g4za.mips.elf	Get hash	malicious	Mirai	Browse	66.19.208.111
	g4za.arm.elf	Get hash	malicious	Mirai	Browse	207.94.133.229
	g4za.spc.elf	Get hash	malicious	Mirai	Browse	206.252.166.188
	g4za.x86.elf	Get hash	malicious	Unknown	Browse	68.143.234.232
ASN-QUADRANET-GLOBALUS	mpsl.elf	Get hash	malicious	Unknown	Browse	104.245.241.64
	arm.elf	Get hash	malicious	Unknown	Browse	104.245.241.64
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.20
	#Ud83d#Udd0aAudio_Msg Junklessfoods.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76
	#Ud83d#Udd0aAudio_Msg Junklessfoods.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76
	kmips.elf	Get hash	malicious	Unknown	Browse	104.245.241.61
	arm5.elf	Get hash	malicious	Unknown	Browse	104.245.241.64
	#Ud83d#Udd0aAudio_Msg Overlakehospital.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76
	#Ud83d#Udd0aAudio_Msg Umanitoba.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76
	Play_VM-Now(apply)VWAV.xhtml	Get hash	malicious	HTMLPhisher	Browse	185.174.100.76

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/tmp/qemu-open.wsugFj (deleted)

Download File

Process:	/tmp/ppc.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.1808329872054406
Encrypted:	false
SSDEEP:	3:Tg/cA3:TgkG
MD5:	B4B673815F84B3C325AF4B636EF3F7E8
SHA1:	0D795B3294AE13B67B5977896D2C28B777A2216A
SHA-256:	BA14832061879D30329B0378D53F56199440D741567578D0482343247629A00C
SHA-512:	DC4969EF1C3132480F4001EB78586B888D6E75CE84121CDF2B9679DA13062DC56604B4E7F1B1BBD205F9CC707B4BF311AAA9C19F0C67224026F270C18FDCD7EF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/ppc.elf.

/tmp/qemu-open.xuSLyg (deleted)

Download File

Process:	/tmp/ppc.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	3.1808329872054406
Encrypted:	false
SSDEEP:	3:Tg/cA3:TgkG
MD5:	B4B673815F84B3C325AF4B636EF3F7E8
SHA1:	0D795B3294AE13B67B5977896D2C28B777A2216A
SHA-256:	BA14832061879D30329B0378D53F56199440D741567578D0482343247629A00C
SHA-512:	DC4969EF1C3132480F4001EB78586B888D6E75CE84121CDF2B9679DA13062DC56604B4E7F1B1BBD205F9CC707B4BF311AAA9C19F0C67224026F270C18FDCD7EF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/ppc.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.303859193269811
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	ppc.elf
File size:	74'612 bytes
MD5:	c824fa5ad8c06656ff213f840a5a2706
SHA1:	727a9060993ca8d82b6a9a6d5d13e66164cf4265
SHA256:	8903fe9cf6c0a39b21500c9379b7f6c2c16a1ae62215a38d73be579674fe8b63
SHA512:	b7f4759f573e8be3ac7c6290909c65dd350941d76764afba8caff6a80cf7d7f6d8cabe7f3f256df5acf4fa3379c46ddfebb9afd9aba5ed0675452f3a828cc285
SSDEEP:	1536:oYdQdFswX3rxK0QMNK67aL48QfwjfOXjYNUHrrC:py3PljsaC
TLSH:	D9734B41B71D0587D2B36DF03B3F2BE1D3EA8D8221A46644784FBB8596B1E321846EDD
File Content Preview:	.ELF...........................4..!......4. ...(...................... 8.. 8.............. ... ... .......F.........dt.Q.............................!..\|......$H...H......$8!. \|...N.. .!..\|.......?.........!x..../...@..`= ..;. ......+../...A..$8...}).....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f8
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	74132
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0x10b64	0x0	0x6	AX	4
.fini	PROGBITS	0x10010c1c	0x10c1c	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x10010c40	0x10c40	0x13f8	0x0	0x2	A	8
.ctors	PROGBITS	0x100220a8	0x120a8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x100220b0	0x120b0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x100220bc	0x120bc	0x84	0x0	0x3	WA	4
.sdata	PROGBITS	0x10022140	0x12140	0x9	0x0	0x3	WA	4
.sbss	NOBITS	0x1002214c	0x12149	0x28	0x0	0x3	WA	4
.bss	NOBITS	0x10022178	0x12149	0x4628	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0x12149	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0x12038	0x12038	6.3271	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x120a8	0x100220a8	0x100220a8	0xa1	0x46f8	4.1891	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 23:42:21.886835098 CET	55882	45229	192.168.2.14	154.205.155.97
Mar 26, 2025 23:42:22.048295975 CET	45229	55882	154.205.155.97	192.168.2.14
Mar 26, 2025 23:42:22.048507929 CET	55882	45229	192.168.2.14	154.205.155.97
Mar 26, 2025 23:42:22.206661940 CET	45229	55882	154.205.155.97	192.168.2.14
Mar 26, 2025 23:42:22.206857920 CET	55882	45229	192.168.2.14	154.205.155.97
Mar 26, 2025 23:42:22.366022110 CET	45229	55882	154.205.155.97	192.168.2.14
Mar 26, 2025 23:42:22.366162062 CET	55882	45229	192.168.2.14	154.205.155.97
Mar 26, 2025 23:42:29.066129923 CET	55882	45229	192.168.2.14	154.205.155.97
Mar 26, 2025 23:42:29.223786116 CET	45229	55882	154.205.155.97	192.168.2.14
Mar 26, 2025 23:42:29.223843098 CET	45229	55882	154.205.155.97	192.168.2.14
Mar 26, 2025 23:42:29.224242926 CET	55882	45229	192.168.2.14	154.205.155.97
Mar 26, 2025 23:42:29.381285906 CET	45229	55882	154.205.155.97	192.168.2.14
Mar 26, 2025 23:42:30.225677013 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:31.247576952 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:33.263554096 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:33.654254913 CET	40217	38264	104.245.241.61	192.168.2.14
Mar 26, 2025 23:42:33.654699087 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:34.045017958 CET	40217	38264	104.245.241.61	192.168.2.14
Mar 26, 2025 23:42:34.045326948 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:34.435336113 CET	40217	38264	104.245.241.61	192.168.2.14
Mar 26, 2025 23:42:34.435686111 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:40.485655069 CET	40217	38264	104.245.241.61	192.168.2.14
Mar 26, 2025 23:42:40.485877991 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:40.663127899 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:41.054192066 CET	40217	38264	104.245.241.61	192.168.2.14
Mar 26, 2025 23:42:41.054544926 CET	38264	40217	192.168.2.14	104.245.241.61
Mar 26, 2025 23:42:55.679423094 CET	48962	54780	192.168.2.14	154.205.155.243
Mar 26, 2025 23:42:55.838419914 CET	54780	48962	154.205.155.243	192.168.2.14
Mar 26, 2025 23:42:55.838809013 CET	48962	54780	192.168.2.14	154.205.155.243
Mar 26, 2025 23:42:56.000634909 CET	54780	48962	154.205.155.243	192.168.2.14
Mar 26, 2025 23:42:56.000735044 CET	48962	54780	192.168.2.14	154.205.155.243
Mar 26, 2025 23:42:56.159796000 CET	54780	48962	154.205.155.243	192.168.2.14
Mar 26, 2025 23:42:56.160049915 CET	48962	54780	192.168.2.14	154.205.155.243
Mar 26, 2025 23:43:02.848433971 CET	48962	54780	192.168.2.14	154.205.155.243
Mar 26, 2025 23:43:03.007891893 CET	54780	48962	154.205.155.243	192.168.2.14
Mar 26, 2025 23:43:03.007925034 CET	54780	48962	154.205.155.243	192.168.2.14
Mar 26, 2025 23:43:03.008498907 CET	48962	54780	192.168.2.14	154.205.155.243
Mar 26, 2025 23:43:03.168668032 CET	54780	48962	154.205.155.243	192.168.2.14
Mar 26, 2025 23:43:04.011760950 CET	53446	52962	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:04.416667938 CET	52962	53446	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:04.417079926 CET	53446	52962	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:04.807713985 CET	52962	53446	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:04.808132887 CET	53446	52962	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:05.198743105 CET	52962	53446	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:05.199302912 CET	53446	52962	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:11.427453041 CET	53446	52962	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:11.821192026 CET	52962	53446	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:11.821261883 CET	52962	53446	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:11.821746111 CET	53446	52962	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:12.215579987 CET	52962	53446	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:12.824855089 CET	47470	52962	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:12.984116077 CET	52962	47470	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:12.984430075 CET	47470	52962	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:13.143050909 CET	52962	47470	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:13.143388987 CET	47470	52962	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:13.306993961 CET	52962	47470	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:13.307372093 CET	47470	52962	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:19.996365070 CET	47470	52962	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:20.155011892 CET	52962	47470	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:20.155258894 CET	52962	47470	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:20.155670881 CET	47470	52962	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:20.314404964 CET	52962	47470	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:21.160604954 CET	43034	29486	192.168.2.14	216.73.156.19
Mar 26, 2025 23:43:21.316817045 CET	29486	43034	216.73.156.19	192.168.2.14
Mar 26, 2025 23:43:21.317106009 CET	43034	29486	192.168.2.14	216.73.156.19
Mar 26, 2025 23:43:21.473540068 CET	29486	43034	216.73.156.19	192.168.2.14
Mar 26, 2025 23:43:21.473707914 CET	43034	29486	192.168.2.14	216.73.156.19
Mar 26, 2025 23:43:21.629941940 CET	29486	43034	216.73.156.19	192.168.2.14
Mar 26, 2025 23:43:21.630405903 CET	43034	29486	192.168.2.14	216.73.156.19
Mar 26, 2025 23:43:28.326246977 CET	43034	29486	192.168.2.14	216.73.156.19
Mar 26, 2025 23:43:28.483354092 CET	29486	43034	216.73.156.19	192.168.2.14
Mar 26, 2025 23:43:28.483378887 CET	29486	43034	216.73.156.19	192.168.2.14
Mar 26, 2025 23:43:28.484023094 CET	43034	29486	192.168.2.14	216.73.156.19
Mar 26, 2025 23:43:28.640269041 CET	29486	43034	216.73.156.19	192.168.2.14
Mar 26, 2025 23:43:29.489707947 CET	36208	44859	192.168.2.14	104.245.241.61
Mar 26, 2025 23:43:29.886056900 CET	44859	36208	104.245.241.61	192.168.2.14
Mar 26, 2025 23:43:29.886523962 CET	36208	44859	192.168.2.14	104.245.241.61
Mar 26, 2025 23:43:30.282684088 CET	44859	36208	104.245.241.61	192.168.2.14
Mar 26, 2025 23:43:30.283170938 CET	36208	44859	192.168.2.14	104.245.241.61
Mar 26, 2025 23:43:30.678764105 CET	44859	36208	104.245.241.61	192.168.2.14
Mar 26, 2025 23:43:30.679223061 CET	36208	44859	192.168.2.14	104.245.241.61
Mar 26, 2025 23:43:36.898816109 CET	36208	44859	192.168.2.14	104.245.241.61
Mar 26, 2025 23:43:37.296077967 CET	44859	36208	104.245.241.61	192.168.2.14
Mar 26, 2025 23:43:37.296112061 CET	44859	36208	104.245.241.61	192.168.2.14
Mar 26, 2025 23:43:37.296688080 CET	36208	44859	192.168.2.14	104.245.241.61
Mar 26, 2025 23:43:37.692148924 CET	44859	36208	104.245.241.61	192.168.2.14
Mar 26, 2025 23:43:38.300699949 CET	55550	6958	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:38.460064888 CET	6958	55550	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:38.460671902 CET	55550	6958	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:38.621933937 CET	6958	55550	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:38.622396946 CET	55550	6958	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:38.781733990 CET	6958	55550	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:38.782202959 CET	55550	6958	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:45.472531080 CET	55550	6958	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:45.631537914 CET	6958	55550	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:45.631561041 CET	6958	55550	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:45.632133007 CET	55550	6958	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:45.791124105 CET	6958	55550	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:46.636142969 CET	53522	50749	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:46.795394897 CET	50749	53522	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:46.795939922 CET	53522	50749	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:46.957643986 CET	50749	53522	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:46.957943916 CET	53522	50749	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:47.117415905 CET	50749	53522	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:47.117723942 CET	53522	50749	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:53.807652950 CET	53522	50749	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:53.968327045 CET	50749	53522	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:53.968372107 CET	50749	53522	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:53.969063997 CET	53522	50749	192.168.2.14	156.244.14.93
Mar 26, 2025 23:43:54.127947092 CET	50749	53522	156.244.14.93	192.168.2.14
Mar 26, 2025 23:43:54.975379944 CET	57842	26141	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:55.372520924 CET	26141	57842	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:55.373049974 CET	57842	26141	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:55.771826982 CET	26141	57842	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:55.772157907 CET	57842	26141	192.168.2.14	104.245.241.64
Mar 26, 2025 23:43:56.169224977 CET	26141	57842	104.245.241.64	192.168.2.14
Mar 26, 2025 23:43:56.169842958 CET	57842	26141	192.168.2.14	104.245.241.64
Mar 26, 2025 23:44:02.386601925 CET	57842	26141	192.168.2.14	104.245.241.64
Mar 26, 2025 23:44:02.788259029 CET	26141	57842	104.245.241.64	192.168.2.14
Mar 26, 2025 23:44:02.788276911 CET	26141	57842	104.245.241.64	192.168.2.14
Mar 26, 2025 23:44:02.788858891 CET	57842	26141	192.168.2.14	104.245.241.64
Mar 26, 2025 23:44:03.187666893 CET	26141	57842	104.245.241.64	192.168.2.14
Mar 26, 2025 23:44:03.793646097 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:03.952231884 CET	56190	48798	154.205.155.97	192.168.2.14
Mar 26, 2025 23:44:03.952687979 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:04.111198902 CET	56190	48798	154.205.155.97	192.168.2.14
Mar 26, 2025 23:44:04.111483097 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:04.269841909 CET	56190	48798	154.205.155.97	192.168.2.14
Mar 26, 2025 23:44:04.270057917 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:08.864209890 CET	56190	48798	154.205.155.97	192.168.2.14
Mar 26, 2025 23:44:08.864521980 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:10.963191032 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:11.122323036 CET	56190	48798	154.205.155.97	192.168.2.14
Mar 26, 2025 23:44:11.122605085 CET	48798	56190	192.168.2.14	154.205.155.97
Mar 26, 2025 23:44:26.969264030 CET	54474	35086	192.168.2.14	154.205.155.243
Mar 26, 2025 23:44:27.128240108 CET	35086	54474	154.205.155.243	192.168.2.14
Mar 26, 2025 23:44:27.128468037 CET	54474	35086	192.168.2.14	154.205.155.243
Mar 26, 2025 23:44:27.287528992 CET	35086	54474	154.205.155.243	192.168.2.14
Mar 26, 2025 23:44:27.288072109 CET	54474	35086	192.168.2.14	154.205.155.243
Mar 26, 2025 23:44:27.447129011 CET	35086	54474	154.205.155.243	192.168.2.14
Mar 26, 2025 23:44:27.447402954 CET	54474	35086	192.168.2.14	154.205.155.243

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 26, 2025 23:42:25.060100079 CET	44685	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:42:27.062297106 CET	44034	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:42:34.656645060 CET	60473	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:42:38.660968065 CET	55875	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:42:56.841505051 CET	45641	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:42:58.843766928 CET	59188	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:43:00.845956087 CET	56318	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:05.420351982 CET	59578	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:43:07.422583103 CET	56710	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:43:09.424678087 CET	44245	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:43:13.989442110 CET	45201	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:43:15.991601944 CET	51135	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:17.993963957 CET	48640	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:43:22.319402933 CET	57630	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:24.321866035 CET	47879	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:30.891402960 CET	52022	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:43:32.894018888 CET	44287	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:34.896245003 CET	59091	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:43:41.467616081 CET	59589	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:43:49.803165913 CET	34906	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:51.805362940 CET	34891	53	192.168.2.14	208.67.220.220
Mar 26, 2025 23:43:56.379687071 CET	46119	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:43:58.382054090 CET	60369	53	192.168.2.14	208.67.222.222
Mar 26, 2025 23:44:00.384079933 CET	40788	53	192.168.2.14	8.8.4.4
Mar 26, 2025 23:44:04.956809998 CET	41696	53	192.168.2.14	208.67.222.222

System Behavior

Analysis Process: ppc.elf PID: 5569, Parent PID: 5486

General

Start time (UTC):	22:42:18
Start date (UTC):	26/03/2025
Path:	/tmp/ppc.elf
Arguments:	/tmp/ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

File Activities

File Opened

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: ppc.elf PID: 5571, Parent PID: 5569

General

Start time (UTC):	22:42:21
Start date (UTC):	26/03/2025
Path:	/tmp/ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Errors

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/qemu-open.wsugFj (deleted)

/tmp/qemu-open.xuSLyg (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

System Behavior

Analysis Process: ppc.elf PID: 5569, Parent PID: 5486

General

File Activities

File Opened

File Deleted

File Read

File Written

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: ppc.elf PID: 5571, Parent PID: 5569

General

Linux Analysis Report
ppc.elf