Edit tour

Linux Analysis Report
ub8ehJSePAfc9FYqZIT6.arm.elf

Overview

General Information

Sample name:ub8ehJSePAfc9FYqZIT6.arm.elf
Analysis ID:1649636
MD5:955c812632a128ff4bc532bc06b8aecb
SHA1:3063eab451c8f1c02f6130d631b64c950123b054
SHA256:a6b5a509a92c7f273e1e2801b4a32283b5f16b227554ffca33a9b1f4c2c44d47
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:76
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649636
Start date and time:2025-03-27 00:31:21 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ub8ehJSePAfc9FYqZIT6.arm.elf
Detection:MAL
Classification:mal76.troj.evad.linELF@0/0@0/0
Command:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
PID:6274
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 6332, Parent: 4331)
  • rm (PID: 6332, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.D3qEOOGVLK /tmp/tmp.Ixi9ydgmeQ /tmp/tmp.jW97BLfXxd
  • dash New Fork (PID: 6333, Parent: 4331)
  • rm (PID: 6333, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.D3qEOOGVLK /tmp/tmp.Ixi9ydgmeQ /tmp/tmp.jW97BLfXxd
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
6278.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    6278.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    6288.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6288.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      6276.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        Click to see the 11 entries
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: ub8ehJSePAfc9FYqZIT6.arm.elfAvira: detected
        Source: ub8ehJSePAfc9FYqZIT6.arm.elfVirustotal: Detection: 28%Perma Link
        Source: ub8ehJSePAfc9FYqZIT6.arm.elfReversingLabs: Detection: 52%
        Source: global trafficTCP traffic: 192.168.2.23:45360 -> 61.7.209.116:3778
        Source: global trafficTCP traffic: 192.168.2.23:39256 -> 34.249.145.219:443
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
        Source: ub8ehJSePAfc9FYqZIT6.arm.elfString found in binary or memory: http://upx.sf.net
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 39256 -> 443

        System Summary

        barindex
        Source: 6278.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 6288.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 6276.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 6274.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6274, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6276, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6278, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6288, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: 6278.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 6288.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 6276.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 6274.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6274, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6276, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6278, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6288, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: classification engineClassification label: mal76.troj.evad.linELF@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/6231/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1582/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/3088/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/230/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/110/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/231/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/111/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/232/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1579/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/112/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/233/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1699/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/113/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/234/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1335/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1698/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/114/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/235/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1334/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1576/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/2302/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/115/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/236/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/116/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/237/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/117/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/118/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/910/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/119/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/912/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/6109/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/10/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/2307/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/11/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/918/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/12/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/13/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/14/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/15/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/16/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/17/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/18/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1594/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/120/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/121/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1349/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/122/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/243/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/123/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/2/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/124/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/3/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/4/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/125/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/126/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1344/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1465/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1586/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/127/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/6/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/248/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/128/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/249/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1463/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/800/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/9/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/801/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/20/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/21/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1900/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/22/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/23/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/24/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/25/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/26/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/27/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/28/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/29/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/491/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/250/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/130/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/251/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/252/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/132/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/253/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/254/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/255/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/256/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1599/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/257/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1477/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/379/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/258/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1476/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/259/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1475/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/936/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/30/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/2208/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/35/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1809/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/1494/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/260/statusJump to behavior
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)File opened: /proc/261/statusJump to behavior
        Source: /usr/bin/dash (PID: 6332)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.D3qEOOGVLK /tmp/tmp.Ixi9ydgmeQ /tmp/tmp.jW97BLfXxdJump to behavior
        Source: /usr/bin/dash (PID: 6333)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.D3qEOOGVLK /tmp/tmp.Ixi9ydgmeQ /tmp/tmp.jW97BLfXxdJump to behavior
        Source: ub8ehJSePAfc9FYqZIT6.arm.elfSubmission file: segment LOAD with 7.9707 entropy (max. 8.0)
        Source: /tmp/ub8ehJSePAfc9FYqZIT6.arm.elf (PID: 6274)Queries kernel information via 'uname': Jump to behavior
        Source: ub8ehJSePAfc9FYqZIT6.arm.elf, 6274.1.00007ffecb034000.00007ffecb055000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6276.1.00007ffecb034000.00007ffecb055000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6278.1.00007ffecb034000.00007ffecb055000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6288.1.00007ffecb034000.00007ffecb055000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/ub8ehJSePAfc9FYqZIT6.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
        Source: ub8ehJSePAfc9FYqZIT6.arm.elf, 6274.1.0000562e67873000.0000562e67a23000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6276.1.0000562e67873000.0000562e67a01000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6278.1.0000562e67873000.0000562e67a01000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6288.1.0000562e67873000.0000562e67a23000.rw-.sdmpBinary or memory string: g.V!/etc/qemu-binfmt/arm
        Source: ub8ehJSePAfc9FYqZIT6.arm.elf, 6274.1.0000562e67873000.0000562e67a23000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6276.1.0000562e67873000.0000562e67a01000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6278.1.0000562e67873000.0000562e67a01000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6288.1.0000562e67873000.0000562e67a23000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: ub8ehJSePAfc9FYqZIT6.arm.elf, 6274.1.00007ffecb034000.00007ffecb055000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6276.1.00007ffecb034000.00007ffecb055000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6278.1.00007ffecb034000.00007ffecb055000.rw-.sdmp, ub8ehJSePAfc9FYqZIT6.arm.elf, 6288.1.00007ffecb034000.00007ffecb055000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 6278.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6288.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6276.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6274.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6274, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6276, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6278, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6288, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 6278.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6288.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6276.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6274.1.00007f3bc8017000.00007f3bc802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6274, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6276, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6278, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.arm.elf PID: 6288, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local System1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        File Deletion
        LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
        Non-Standard Port
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649636 Sample: ub8ehJSePAfc9FYqZIT6.arm.elf Startdate: 27/03/2025 Architecture: LINUX Score: 76 24 109.202.202.202, 80 INIT7CH Switzerland 2->24 26 61.7.209.116, 3778, 45360, 45362 CAT-APTheCommunicationAuthoityofThailandCATTH Thailand 2->26 28 2 other IPs or domains 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 8 ub8ehJSePAfc9FYqZIT6.arm.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 process5 14 ub8ehJSePAfc9FYqZIT6.arm.elf 8->14         started        16 ub8ehJSePAfc9FYqZIT6.arm.elf 8->16         started        18 ub8ehJSePAfc9FYqZIT6.arm.elf 8->18         started        process6 20 ub8ehJSePAfc9FYqZIT6.arm.elf 14->20         started        22 ub8ehJSePAfc9FYqZIT6.arm.elf 14->22         started       
        SourceDetectionScannerLabelLink
        ub8ehJSePAfc9FYqZIT6.arm.elf29%VirustotalBrowse
        ub8ehJSePAfc9FYqZIT6.arm.elf53%ReversingLabsLinux.Backdoor.Mirai
        ub8ehJSePAfc9FYqZIT6.arm.elf100%AviraANDROID/AVE.Svirtu.snnqz
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netub8ehJSePAfc9FYqZIT6.arm.elffalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          34.249.145.219
          unknownUnited States
          16509AMAZON-02USfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          61.7.209.116
          unknownThailand
          9931CAT-APTheCommunicationAuthoityofThailandCATTHfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          34.249.145.219efea6.elfGet hashmaliciousMiraiBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              na.elfGet hashmaliciousPrometeiBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  xWgJI0PtLZ.elfGet hashmaliciousUnknownBrowse
                    arm.elfGet hashmaliciousUnknownBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        efefa7.elfGet hashmaliciousMiraiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                              • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                              61.7.209.116ub8ehJSePAfc9FYqZIT6.x86_64.elfGet hashmaliciousUnknownBrowse
                                ub8ehJSePAfc9FYqZIT6.ppc.elfGet hashmaliciousUnknownBrowse
                                  ub8ehJSePAfc9FYqZIT6.sh4.elfGet hashmaliciousUnknownBrowse
                                    ub8ehJSePAfc9FYqZIT6.m68k.elfGet hashmaliciousMiraiBrowse
                                      ub8ehJSePAfc9FYqZIT6.arm6.elfGet hashmaliciousUnknownBrowse
                                        ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                          ub8ehJSePAfc9FYqZIT6.mpsl.elfGet hashmaliciousUnknownBrowse
                                            ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
                                              ub8ehJSePAfc9FYqZIT6.x86.elfGet hashmaliciousUnknownBrowse
                                                cbot.exeGet hashmaliciousUnknownBrowse
                                                  No context
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CANONICAL-ASGBub8ehJSePAfc9FYqZIT6.ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 91.189.91.42
                                                  ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                                  • 91.189.91.42
                                                  efea6.elfGet hashmaliciousMiraiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 91.189.91.42
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 91.189.91.42
                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 91.189.91.42
                                                  rjfe686.elfGet hashmaliciousUnknownBrowse
                                                  • 91.189.91.42
                                                  CAT-APTheCommunicationAuthoityofThailandCATTHub8ehJSePAfc9FYqZIT6.x86_64.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.sh4.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.m68k.elfGet hashmaliciousMiraiBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.arm6.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.mpsl.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  ub8ehJSePAfc9FYqZIT6.x86.elfGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  cbot.exeGet hashmaliciousUnknownBrowse
                                                  • 61.7.209.116
                                                  INIT7CHub8ehJSePAfc9FYqZIT6.ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 109.202.202.202
                                                  ub8ehJSePAfc9FYqZIT6.i686.elfGet hashmaliciousUnknownBrowse
                                                  • 109.202.202.202
                                                  efea6.elfGet hashmaliciousMiraiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 109.202.202.202
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 109.202.202.202
                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 109.202.202.202
                                                  rjfe686.elfGet hashmaliciousUnknownBrowse
                                                  • 109.202.202.202
                                                  AMAZON-02USrjfe686.elfGet hashmaliciousMiraiBrowse
                                                  • 18.140.146.81
                                                  drea4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 63.35.124.117
                                                  jfeeps.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 54.201.156.173
                                                  efea6.elfGet hashmaliciousMiraiBrowse
                                                  • 34.249.145.219
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 34.249.145.219
                                                  https://www.bing.com/ck/a?!&&p=4bc123521bd053746ce6213fb7efb9db6bd547d194d9f27180003c09ab9dfa29JmltdHM9MTc0Mjc3NDQwMA&ptn=3&ver=2&hsh=4&fclid=19c568d0-da5e-6cab-0452-7d78db436d5e&u=a1aHR0cHM6Ly9iaW9tZWRzdGF0LmNvbS5ici9jYXRlZ29yeS9jYWxjdWxvLWFtb3N0cmFsLw&ntb=1Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                  • 3.168.73.40
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 34.249.145.219
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                  • 34.249.145.219
                                                  xWgJI0PtLZ.elfGet hashmaliciousUnknownBrowse
                                                  • 34.249.145.219
                                                  arm.elfGet hashmaliciousUnknownBrowse
                                                  • 34.249.145.219
                                                  No context
                                                  No context
                                                  No created / dropped files found
                                                  File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
                                                  Entropy (8bit):7.968843738591809
                                                  TrID:
                                                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                  File name:ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  File size:39'296 bytes
                                                  MD5:955c812632a128ff4bc532bc06b8aecb
                                                  SHA1:3063eab451c8f1c02f6130d631b64c950123b054
                                                  SHA256:a6b5a509a92c7f273e1e2801b4a32283b5f16b227554ffca33a9b1f4c2c44d47
                                                  SHA512:891e4b5148a0681190ef6a9d73da1912240053b5fe0026843a864e08242bc5e6b23ef4a5ad1452607f4679a795dcc866d0b04b430b0fcffc084fcbc38cd22218
                                                  SSDEEP:768:tu7RATMUu4f7RDdP6NM8I52VNbvdFsDJ4Nt6Tpxys3UozOW:aRAC4fNDdP6N5pd+DMtUpxvzOW
                                                  TLSH:2103F2967C9BD9219C604930EF6F15167B3B7BBCC2DB7034A1150A38BDD0B07752CAA6
                                                  File Content Preview:.ELF...a..........(.........4...........4. ...(....................._..._................{...{...{..................Q.td............................s.y.UPX!.........T...T......S..........?.E.h;.}...^..........fK..z..,vU...].XLU..0.)..0(7n..V5.'...,;.q9...

                                                  ELF header

                                                  Class:ELF32
                                                  Data:2's complement, little endian
                                                  Version:1 (current)
                                                  Machine:ARM
                                                  Version Number:0x1
                                                  Type:EXEC (Executable file)
                                                  OS/ABI:ARM - ABI
                                                  ABI Version:0
                                                  Entry Point Address:0x106b0
                                                  Flags:0x202
                                                  ELF Header Size:52
                                                  Program Header Offset:52
                                                  Program Header Size:32
                                                  Number of Program Headers:3
                                                  Section Header Offset:0
                                                  Section Header Size:40
                                                  Number of Section Headers:0
                                                  Header String Table Index:0
                                                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                  LOAD0x00x80000x80000x985f0x985f7.97070x5R E0x8000
                                                  LOAD0x7bc80x27bc80x27bc80x00x00.00000x6RW 0x8000
                                                  GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                  Download Network PCAP: filteredfull

                                                  • Total Packets: 52
                                                  • 3778 undefined
                                                  • 443 (HTTPS)
                                                  • 80 (HTTP)
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 27, 2025 00:32:38.392687082 CET39256443192.168.2.2334.249.145.219
                                                  Mar 27, 2025 00:32:40.102195978 CET453603778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:40.455523014 CET37784536061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:40.952048063 CET43928443192.168.2.2391.189.91.42
                                                  Mar 27, 2025 00:32:42.458147049 CET453623778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:42.810261965 CET37784536261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:46.345392942 CET453643778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:46.583376884 CET39256443192.168.2.2334.249.145.219
                                                  Mar 27, 2025 00:32:46.709181070 CET37784536461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:46.813517094 CET453663778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:47.167073011 CET37784536661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:48.713346958 CET453683778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:49.069010019 CET37784536861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:51.168976068 CET453703778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:51.531785011 CET37784537061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:53.074270964 CET453723778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:53.435959101 CET37784537261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:55.286168098 CET4251680192.168.2.23109.202.202.202
                                                  Mar 27, 2025 00:32:57.437808990 CET453743778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:57.534538984 CET453763778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:32:57.795670033 CET37784537461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:32:57.898140907 CET37784537661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:01.429233074 CET43928443192.168.2.2391.189.91.42
                                                  Mar 27, 2025 00:33:02.709202051 CET39256443192.168.2.2334.249.145.219
                                                  Mar 27, 2025 00:33:03.797517061 CET453783778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:04.162885904 CET37784537861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:06.899183035 CET453803778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:07.258846045 CET37784538061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:11.260581970 CET453823778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:11.619019032 CET37784538261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:13.164216995 CET453843778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:13.518094063 CET37784538461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:17.520118952 CET453863778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:17.873342037 CET37784538661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:18.620748997 CET453883778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:18.977279902 CET37784538861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:24.875063896 CET453903778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:25.223421097 CET37784539061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:26.978586912 CET453923778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:27.338205099 CET37784539261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:33.224821091 CET453943778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:33.580051899 CET37784539461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:34.339680910 CET453963778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:34.704058886 CET37784539661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:37.706231117 CET453983778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:38.067491055 CET37784539861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:40.581482887 CET454003778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:40.933717012 CET37784540061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:42.383682966 CET43928443192.168.2.2391.189.91.42
                                                  Mar 27, 2025 00:33:43.069833994 CET454023778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:43.429761887 CET37784540261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:43.936882973 CET454043778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:44.301898003 CET37784540461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:44.431350946 CET454063778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:44.794760942 CET37784540661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:49.304193020 CET454083778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:49.665579081 CET37784540861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:50.668283939 CET454103778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:50.796273947 CET454123778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:51.024311066 CET37784541061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:51.158752918 CET37784541261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:53.160695076 CET454143778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:53.517779112 CET37784541461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:57.026685953 CET454163778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:57.391752005 CET37784541661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:33:59.394723892 CET454183778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:33:59.746602058 CET37784541861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:01.523267031 CET454203778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:01.883536100 CET37784542061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:07.749277115 CET454223778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:08.109106064 CET37784542261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:10.885149956 CET454243778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:11.244002104 CET37784542461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:17.109848022 CET454263778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:17.460602999 CET37784542661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:18.245328903 CET454283778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:18.602684021 CET37784542861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:24.461735010 CET454303778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:24.818078995 CET37784543061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:26.604162931 CET454323778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:26.967036963 CET37784543261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:28.968566895 CET454343778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:29.322217941 CET37784543461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:32.820420980 CET454363778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:33.184803963 CET37784543661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:33.324229002 CET454383778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:33.690515041 CET37784543861.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:35.187237978 CET454403778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:35.544308901 CET37784544061.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:39.545866013 CET454423778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:39.904552937 CET37784544261.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:42.691462994 CET454443778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:43.046441078 CET37784544461.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:48.905495882 CET454463778192.168.2.2361.7.209.116
                                                  Mar 27, 2025 00:34:49.265482903 CET37784544661.7.209.116192.168.2.23
                                                  Mar 27, 2025 00:34:51.047516108 CET454483778192.168.2.2361.7.209.116

                                                  System Behavior

                                                  Start time (UTC):23:32:39
                                                  Start date (UTC):26/03/2025
                                                  Path:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  Arguments:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  File size:4956856 bytes
                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                  Start time (UTC):23:32:39
                                                  Start date (UTC):26/03/2025
                                                  Path:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  Arguments:-
                                                  File size:4956856 bytes
                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                  Start time (UTC):23:32:39
                                                  Start date (UTC):26/03/2025
                                                  Path:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  Arguments:-
                                                  File size:4956856 bytes
                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                  Start time (UTC):23:32:39
                                                  Start date (UTC):26/03/2025
                                                  Path:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  Arguments:-
                                                  File size:4956856 bytes
                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                  Start time (UTC):23:32:45
                                                  Start date (UTC):26/03/2025
                                                  Path:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  Arguments:-
                                                  File size:4956856 bytes
                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                  Start time (UTC):23:32:45
                                                  Start date (UTC):26/03/2025
                                                  Path:/tmp/ub8ehJSePAfc9FYqZIT6.arm.elf
                                                  Arguments:-
                                                  File size:4956856 bytes
                                                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                  Start time (UTC):23:33:30
                                                  Start date (UTC):26/03/2025
                                                  Path:/usr/bin/dash
                                                  Arguments:-
                                                  File size:129816 bytes
                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                  Start time (UTC):23:33:30
                                                  Start date (UTC):26/03/2025
                                                  Path:/usr/bin/rm
                                                  Arguments:rm -f /tmp/tmp.D3qEOOGVLK /tmp/tmp.Ixi9ydgmeQ /tmp/tmp.jW97BLfXxd
                                                  File size:72056 bytes
                                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                  Start time (UTC):23:33:30
                                                  Start date (UTC):26/03/2025
                                                  Path:/usr/bin/dash
                                                  Arguments:-
                                                  File size:129816 bytes
                                                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                  Start time (UTC):23:33:30
                                                  Start date (UTC):26/03/2025
                                                  Path:/usr/bin/rm
                                                  Arguments:rm -f /tmp/tmp.D3qEOOGVLK /tmp/tmp.Ixi9ydgmeQ /tmp/tmp.jW97BLfXxd
                                                  File size:72056 bytes
                                                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b