Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
FBI.arm6.elf

Overview

General Information

Sample name:FBI.arm6.elf
Analysis ID:1654264
MD5:6aab6a5d56cc30c16360a0d3703dbc1b
SHA1:e9d91c5d018151c38b1d6507561dfaffe864cf40
SHA256:44421e849e4e403f3c639b3179f44368b2fe82ea1527939bf65852a6f9ef9a28
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654264
Start date and time:2025-04-02 08:26:12 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FBI.arm6.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/FBI.arm6.elf
PID:5430
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped

Process Tree

  • system is lnxubuntu20
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
FBI.arm6.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    FBI.arm6.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      FBI.arm6.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x176dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x176f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1772c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1777c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x177a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x177b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x177cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x177e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x177f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1781c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x17858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1786c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      FBI.arm6.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x1768c:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x176dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x176f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17704:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17718:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1772c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17740:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1777c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x177a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x177b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x177cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x177e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x177f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1781c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x17858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1786c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0x1768c:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
            Click to see the 37 entries

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            • AV Detection
            • Networking
            • System Summary
            • Persistence and Installation Behavior
            • Malware Analysis System Evasion
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: FBI.arm6.elfAvira: detected
            Source: FBI.arm6.elfReversingLabs: Detection: 63%
            Source: FBI.arm6.elfVirustotal: Detection: 65%Perma Link
            Source: global trafficTCP traffic: 192.168.2.13:33836 -> 176.65.144.18:1337
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: FBI.arm6.elfString found in binary or memory: http://fast.no/support/crawler.asp)
            Source: FBI.arm6.elfString found in binary or memory: http://feedback.redkolibri.com/
            Source: FBI.arm6.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
            Source: FBI.arm6.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
            Source: FBI.arm6.elfString found in binary or memory: http://www.billybobbot.com/crawler/)

            System Summary

            barindex
            Source: FBI.arm6.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: FBI.arm6.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5432, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5432, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5445, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5445, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5472, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5472, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5474, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm6.elf PID: 5474, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Initial sampleString containing 'busybox' found: busybox
            Source: Initial sampleString containing 'busybox' found: BusyBox
            Source: Initial sampleString containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: FBI.arm6.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: FBI.arm6.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5430, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5432, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5432, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5439, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5445, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5445, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5472, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5472, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5474, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm6.elf PID: 5474, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: submitted sampleStderr: qemu: uncaught target signal 11 (Segmentation fault) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumped: exit code = 0
            Source: /tmp/FBI.arm6.elf (PID: 5430)Queries kernel information via 'uname': Jump to behavior
            Source: FBI.arm6.elf, 5430.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5432.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5439.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5445.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5472.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5474.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/FBI.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.arm6.elf
            Source: FBI.arm6.elf, 5430.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5432.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5439.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5445.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5472.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5474.1.000055cfff5ad000.000055cfff6db000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: FBI.arm6.elf, 5430.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5432.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5439.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5445.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5472.1.000055cfff5ad000.000055cfff6db000.rw-.sdmp, FBI.arm6.elf, 5474.1.000055cfff5ad000.000055cfff6db000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: FBI.arm6.elf, 5430.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5432.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5439.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5445.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5472.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5474.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: FBI.arm6.elf, 5445.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmp, FBI.arm6.elf, 5474.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 8 (Floating point exception) - core dumped
            Source: FBI.arm6.elf, 5432.1.00007fffd33ab000.00007fffd33cc000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: FBI.arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5430, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5439, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5445, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5474, type: MEMORYSTR
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
            Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
            Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: FBI.arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.arm6.elf, type: SAMPLE
            Source: Yara matchFile source: 5472.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5432.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5430.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5445.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5439.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5474.1.00007f52b8017000.00007f52b8032000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5430, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5439, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5445, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm6.elf PID: 5474, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery            		Remote ServicesData from Local System1
            Data Obfuscation            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654264 Sample: FBI.arm6.elf Startdate: 02/04/2025 Architecture: LINUX Score: 80 26 176.65.144.18, 1337, 33836, 33838 PALTEL-ASPALTELAutonomousSystemPS Germany 2->26 28 daisy.ubuntu.com 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 10 FBI.arm6.elf 2->10         started        signatures3 process4 process5 12 FBI.arm6.elf 10->12         started        14 FBI.arm6.elf 10->14         started        process6 16 FBI.arm6.elf 12->16         started        18 FBI.arm6.elf 12->18         started        process7 20 FBI.arm6.elf 16->20         started        22 FBI.arm6.elf 18->22         started        process8 24 FBI.arm6.elf 20->24         started       

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            FBI.arm6.elf64%ReversingLabsLinux.Trojan.Gafgyt
            FBI.arm6.elf66%VirustotalBrowse
            FBI.arm6.elf100%AviraEXP/ELF.Mirai.Z

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            		162.213.35.24
            		truefalse
              		high
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.baidu.com/search/spider.html)FBI.arm6.elffalse
                		high
                http://www.billybobbot.com/crawler/)FBI.arm6.elffalse
                  		high
                  http://fast.no/support/crawler.asp)FBI.arm6.elffalse
                    		high
                    http://feedback.redkolibri.com/FBI.arm6.elffalse
                      		high
                      http://www.baidu.com/search/spider.htm)FBI.arm6.elffalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        176.65.144.18
                        		unknownGermany
                        		12975PALTEL-ASPALTELAutonomousSystemPSfalse

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        daisy.ubuntu.commpsl.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        arm6.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        rjfe686.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        arm.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.25
                        efefa7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        arm7.elfGet hashmaliciousMiraiBrowse
                        • 162.213.35.24
                        weje64.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25
                        na.elfGet hashmaliciousPrometeiBrowse
                        • 162.213.35.24
                        drea4.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.24
                        bejv86.elfGet hashmaliciousUnknownBrowse
                        • 162.213.35.25

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PALTEL-ASPALTELAutonomousSystemPSclip64.dllGet hashmaliciousAmadeyBrowse
                        • 176.65.137.193
                        clip64.dllGet hashmaliciousAmadeyBrowse
                        • 176.65.137.193
                        cred64.dll.dllGet hashmaliciousAmadeyBrowse
                        • 176.65.137.193
                        gLLOqKC.exeGet hashmaliciousAmadeyBrowse
                        • 176.65.137.193
                        boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                        • 176.65.137.13
                        boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                        • 176.65.137.13
                        boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                        • 176.65.137.13
                        boatnet.spc.elfGet hashmaliciousMiraiBrowse
                        • 176.65.137.13
                        boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                        • 176.65.137.13
                        boatnet.x86.elfGet hashmaliciousMiraiBrowse
                        • 176.65.137.13

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                        Entropy (8bit):6.1973559153730715
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:FBI.arm6.elf
                        File size:116'124 bytes
                        MD5:6aab6a5d56cc30c16360a0d3703dbc1b
                        SHA1:e9d91c5d018151c38b1d6507561dfaffe864cf40
                        SHA256:44421e849e4e403f3c639b3179f44368b2fe82ea1527939bf65852a6f9ef9a28
                        SHA512:8cf594bb9cd81533c8b5899722320afe9d948870ecb6945432451c65151ca8f175b9c697c10ef6900c5bb656619358a361b200f35dbbbae71d1867f4e8b3b84d
                        SSDEEP:1536:yLnB+54uILdyu8HUULQh+O3a/1T/TIpPtMbiXfM6RJZf6jRS5yYL5hFp1Bvr:IhZ43GatTmfM6RJZf6jwQa5hFp1lr
                        TLSH:D3B32A17B9528B12C1C215B6FB4E564976136BFCE3EF3212C9249F603B874EB0E2AD51
                        File Content Preview:.ELF..............(.........4...........4. ...(........p.....&...&..................................................................4...8m..........Q.td..................................-...L..................G.F.G.F.G.F.G.F G.F(G.F0G.F8G.F@G.FHG.FPG.FXG.

                        Static ELF Info

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - System V
                        ABI Version:0
                        Entry Point Address:0x81b0
                        Flags:0x4000002
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:4
                        Section Header Offset:115404
                        Section Header Size:40
                        Number of Section Headers:18
                        Header String Table Index:17

                        Sections

                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                        NULL0x00x00x00x00x0000
                        .initPROGBITS0x80b40xb40x100x00x6AX004
                        .textPROGBITS0x80d00xd00x1586c0x00x6AX0016
                        .finiPROGBITS0x1d93c0x1593c0x100x00x6AX004
                        .rodataPROGBITS0x1d9500x159500x4d180x00x2A008
                        .ARM.extabPROGBITS0x226680x1a6680x180x00x2A004
                        .ARM.exidxARM_EXIDX0x226800x1a6800x100x00x82AL204
                        .eh_framePROGBITS0x2b0000x1b0000x40x00x3WA004
                        .init_arrayINIT_ARRAY0x2b0040x1b0040x40x00x3WA004
                        .fini_arrayFINI_ARRAY0x2b0080x1b0080x40x00x3WA004
                        .jcrPROGBITS0x2b00c0x1b00c0x40x00x3WA004
                        .data.rel.roPROGBITS0x2b0100x1b0100x180x00x3WA004
                        .gotPROGBITS0x2b0280x1b0280x800x40x3WA004
                        .dataPROGBITS0x2b0a80x1b0a80x38c0x00x3WA004
                        .bssNOBITS0x2b4380x1b4340x69000x00x3WA008
                        .commentPROGBITS0x00x1b4340xdf00x00x0001
                        .ARM.attributesARM_ATTRIBUTES0x00x1c2240x100x00x0001
                        .shstrtabSTRTAB0x00x1c2340x980x00x0001

                        Program Segments

                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        EXIDX0x1a6800x226800x226800x100x102.40560x4R 0x4.ARM.exidx
                        LOAD0x00x80000x80000x1a6900x1a6906.26590x5R E0x8000.init .text .fini .rodata .ARM.extab .ARM.exidx
                        LOAD0x1b0000x2b0000x2b0000x4340x6d384.02380x6RW 0x8000.eh_frame .init_array .fini_array .jcr .data.rel.ro .got .data .bss
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Network Behavior

                        Download Network PCAP: filteredfull

                        Network Port Distribution

                        • Total Packets: 53
                        • 1337 undefined
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Apr 2, 2025 08:27:01.915591002 CEST338361337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:02.117675066 CEST133733836176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:04.070600986 CEST338381337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:04.273082972 CEST133733838176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:07.132508039 CEST338401337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:07.333404064 CEST133733840176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:09.338877916 CEST338421337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:09.542292118 CEST133733842176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:12.335522890 CEST338441337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:12.537329912 CEST133733844176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:14.544120073 CEST338461337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:14.747215986 CEST133733846176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:17.539145947 CEST338481337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:17.745318890 CEST133733848176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:19.749903917 CEST338501337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:19.962622881 CEST133733850176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:22.747890949 CEST338521337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:22.950524092 CEST133733852176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:24.965831041 CEST338541337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:25.171232939 CEST133733854176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:27.953064919 CEST338561337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:28.158329964 CEST133733856176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:30.174988031 CEST338581337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:30.376921892 CEST133733858176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:33.161757946 CEST338601337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:33.366324902 CEST133733860176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:35.380213976 CEST338621337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:35.581389904 CEST133733862176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:38.370223045 CEST338641337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:38.576625109 CEST133733864176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:40.584434032 CEST338661337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:40.785521984 CEST133733866176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:43.580013990 CEST338681337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:43.785821915 CEST133733868176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:45.788494110 CEST338701337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:45.990350008 CEST133733870176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:48.789252043 CEST338721337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:48.992088079 CEST133733872176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:50.993453026 CEST338741337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:51.194776058 CEST133733874176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:53.995662928 CEST338761337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:54.200987101 CEST133733876176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:56.198240995 CEST338781337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:56.414298058 CEST133733878176.65.144.18192.168.2.13
                        Apr 2, 2025 08:27:59.205148935 CEST338801337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:27:59.411828995 CEST133733880176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:01.417825937 CEST338821337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:01.619904041 CEST133733882176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:04.414776087 CEST338841337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:04.618192911 CEST133733884176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:06.623632908 CEST338861337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:06.826059103 CEST133733886176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:09.621788025 CEST338881337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:10.653088093 CEST338881337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:10.854491949 CEST133733888176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:11.829682112 CEST338901337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:12.031114101 CEST133733890176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:15.858062029 CEST338921337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:16.060369015 CEST133733892176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:17.035085917 CEST338941337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:17.237016916 CEST133733894176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:21.064555883 CEST338961337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:21.269349098 CEST133733896176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:22.241117954 CEST338981337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:22.447052002 CEST133733898176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:26.273561001 CEST339001337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:26.477370024 CEST133733900176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:27.450782061 CEST339021337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:27.651439905 CEST133733902176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:31.480436087 CEST339041337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:31.683672905 CEST133733904176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:32.655900955 CEST339061337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:32.865037918 CEST133733906176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:36.687941074 CEST339081337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:36.896547079 CEST133733908176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:37.868525982 CEST339101337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:38.075128078 CEST133733910176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:41.902853966 CEST339121337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:42.102843046 CEST133733912176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:43.079317093 CEST339141337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:43.283523083 CEST133733914176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:47.106945992 CEST339161337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:47.312558889 CEST133733916176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:48.292279005 CEST339181337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:48.494654894 CEST133733918176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:52.316975117 CEST339201337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:52.522252083 CEST133733920176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:53.498697042 CEST339221337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:53.705889940 CEST133733922176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:57.529998064 CEST339241337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:57.739500046 CEST133733924176.65.144.18192.168.2.13
                        Apr 2, 2025 08:28:58.711306095 CEST339261337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:28:58.917530060 CEST133733926176.65.144.18192.168.2.13
                        Apr 2, 2025 08:29:02.745445967 CEST339281337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:29:02.951855898 CEST133733928176.65.144.18192.168.2.13
                        Apr 2, 2025 08:29:03.922372103 CEST339301337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:29:04.130738020 CEST133733930176.65.144.18192.168.2.13
                        Apr 2, 2025 08:29:07.956204891 CEST339321337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:29:08.159601927 CEST133733932176.65.144.18192.168.2.13
                        Apr 2, 2025 08:29:09.134026051 CEST339341337192.168.2.13176.65.144.18
                        Apr 2, 2025 08:29:09.335675955 CEST133733934176.65.144.18192.168.2.13
                        TimestampSource PortDest PortSource IPDest IP
                        Apr 2, 2025 08:27:02.986670017 CEST4624653192.168.2.131.1.1.1
                        Apr 2, 2025 08:27:02.986670017 CEST4710453192.168.2.131.1.1.1
                        Apr 2, 2025 08:27:03.084243059 CEST53462461.1.1.1192.168.2.13
                        Apr 2, 2025 08:27:03.084304094 CEST53471041.1.1.1192.168.2.13

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Apr 2, 2025 08:27:02.986670017 CEST192.168.2.131.1.1.10x70d0Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                        Apr 2, 2025 08:27:02.986670017 CEST192.168.2.131.1.1.10x6192Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 2, 2025 08:27:03.084243059 CEST1.1.1.1192.168.2.130x70d0No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                        Apr 2, 2025 08:27:03.084243059 CEST1.1.1.1192.168.2.130x70d0No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                        System Behavior

                        General

                        Start time (UTC):06:27:01
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:/tmp/FBI.arm6.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        File Activities

                        Process Activities

                        System Activities

                        Network Activities


                        General

                        Start time (UTC):06:27:01
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities


                        General

                        Start time (UTC):06:27:01
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        File Activities

                        Process Activities

                        Network Activities


                        General

                        Start time (UTC):06:27:01
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        File Activities

                        Process Activities

                        Network Activities


                        General

                        Start time (UTC):06:27:01
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities


                        General

                        Start time (UTC):06:27:01
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities


                        General

                        Start time (UTC):06:27:03
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities


                        General

                        Start time (UTC):06:27:03
                        Start date (UTC):02/04/2025
                        Path:/tmp/FBI.arm6.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Process Activities