Edit tour

Linux Analysis Report
FBI.ppc.elf

Overview

General Information

Sample name:	FBI.ppc.elf
Analysis ID:	1654265
MD5:	e22244cc38378ba3a46adcba90fce5e3
SHA1:	361ab9694799de2bf69dd5960f4a8f466de9ce35
SHA256:	95b3ab821453f7944f5c98de0da2d9bc48331e3611cc4d20deeacbbbf326564d
Tags:	elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai

Score:	80
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Gafgyt

Yara detected Mirai

Detected TCP or UDP traffic on non-standard ports

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are user agent strings indicative of HTTP manipulation

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654265
Start date and time:	2025-04-02 08:26:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	FBI.ppc.elf
Detection:	MAL
Classification:	mal80.troj.linELF@0/0@2/0

Runtime Messages

Command:	/tmp/FBI.ppc.elf
PID:	5490
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

FBI.ppc.elf (PID: 5490, Parent: 5414, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/FBI.ppc.elf

FBI.ppc.elf New Fork (PID: 5492, Parent: 5490)

FBI.ppc.elf New Fork (PID: 5494, Parent: 5490)

FBI.ppc.elf New Fork (PID: 5496, Parent: 5494)

FBI.ppc.elf New Fork (PID: 5498, Parent: 5496)

FBI.ppc.elf New Fork (PID: 5500, Parent: 5498)

FBI.ppc.elf New Fork (PID: 5502, Parent: 5494)

FBI.ppc.elf New Fork (PID: 5504, Parent: 5502)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
FBI.ppc.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
FBI.ppc.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
FBI.ppc.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x155a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1561c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1566c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1570c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
FBI.ppc.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x15554:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

Memory Dumps

Source	Rule	Description	Author	Strings
5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x155a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1561c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1566c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x156f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1570c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x15554:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: FBI.ppc.elf PID: 5490	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: FBI.ppc.elf PID: 5490	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3914:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3928:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x393c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3950:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3964:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3978:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x398c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x39f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: FBI.ppc.elf PID: 5490	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x38c7:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64 0x3f09:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 2 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Malware Analysis System Evasion
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FBI.ppc.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: FBI.ppc.elf	Virustotal: Detection: 64%			Perma Link
Source: FBI.ppc.elf	ReversingLabs: Detection: 63%

Source: global traffic

TCP traffic: 192.168.2.14:52950 -> 176.65.144.18:1337

Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: FBI.ppc.elf	String found in binary or memory: http://fast.no/support/crawler.asp)
Source: FBI.ppc.elf	String found in binary or memory: http://feedback.redkolibri.com/
Source: FBI.ppc.elf	String found in binary or memory: http://www.baidu.com/search/spider.htm)
Source: FBI.ppc.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: FBI.ppc.elf	String found in binary or memory: http://www.billybobbot.com/crawler/)

System Summary

Malicious sample detected (through community Yara rule)

Source: FBI.ppc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: FBI.ppc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: FBI.ppc.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: FBI.ppc.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: BusyBox
Source: Initial sample	String containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217

Source: ELF static info symbol of initial sample

.symtab present: no

Source: FBI.ppc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: FBI.ppc.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: FBI.ppc.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: FBI.ppc.elf PID: 5490, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@2/0

Source: /tmp/FBI.ppc.elf (PID: 5490)

Queries kernel information via 'uname':

Jump to behavior

Source: FBI.ppc.elf, 5490.1.000055a9503d8000.000055a950488000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: FBI.ppc.elf, 5490.1.00007ffc2d6be000.00007ffc2d6df000.rw-.sdmp	Binary or memory string: -x86_64/usr/bin/qemu-ppc/tmp/FBI.ppc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.ppc.elf
Source: FBI.ppc.elf, 5490.1.000055a9503d8000.000055a950488000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: FBI.ppc.elf, 5490.1.00007ffc2d6be000.00007ffc2d6df000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: FBI.ppc.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: FBI.ppc.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FBI.ppc.elf PID: 5490, type: MEMORYSTR

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
Source: Initial sample	User agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
Source: Initial sample	User agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match	File source: FBI.ppc.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: FBI.ppc.elf, type: SAMPLE
Source: Yara match	File source: 5490.1.00007f1c34001000.00007f1c3401a000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FBI.ppc.elf PID: 5490, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FBI.ppc.elf	64%	Virustotal		Browse
FBI.ppc.elf	64%	ReversingLabs	Linux.Backdoor.Gafgyt
FBI.ppc.elf	100%	Avira	EXP/ELF.Mirai.Z

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.baidu.com/search/spider.html)	FBI.ppc.elf	false	high
http://www.billybobbot.com/crawler/)	FBI.ppc.elf	false	high
http://fast.no/support/crawler.asp)	FBI.ppc.elf	false	high
http://feedback.redkolibri.com/	FBI.ppc.elf	false	high
http://www.baidu.com/search/spider.htm)	FBI.ppc.elf	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.65.144.18	unknown	Germany		12975	PALTEL-ASPALTELAutonomousSystemPS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.65.144.18	FBI.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	FBI.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	mpsl.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	arm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	rjfe686.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	arm.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	efefa7.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	arm7.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	weje64.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	na.elf	Get hash	malicious	Prometei	Browse	162.213.35.24
	drea4.elf	Get hash	malicious	Unknown	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PALTEL-ASPALTELAutonomousSystemPS	FBI.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	clip64.dll	Get hash	malicious	Amadey	Browse	176.65.137.193
	clip64.dll	Get hash	malicious	Amadey	Browse	176.65.137.193
	cred64.dll.dll	Get hash	malicious	Amadey	Browse	176.65.137.193
	gLLOqKC.exe	Get hash	malicious	Amadey	Browse	176.65.137.193
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	176.65.137.13
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	176.65.137.13
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	176.65.137.13
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	176.65.137.13
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	176.65.137.13

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.235021490471917
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	FBI.ppc.elf
File size:	107'848 bytes
MD5:	e22244cc38378ba3a46adcba90fce5e3
SHA1:	361ab9694799de2bf69dd5960f4a8f466de9ce35
SHA256:	95b3ab821453f7944f5c98de0da2d9bc48331e3611cc4d20deeacbbbf326564d
SHA512:	18e757e672c3398e73c09c5e3976b9e20fd72b226834c84cbe922a4dcc68c00a16ef437e138a268301a1b660cb0a9b6fc59fd783e77e6e21f4987c044fa2bcef
SSDEEP:	3072:BuwEO0ZtH4UiWorsf3IhUukStG+wRt5hKpu4:BuwEpYrsPSgwG++5h/4
TLSH:	7AB319037B0E0F83D1533DF02A7F2BF1979ABEE215A4A184651EBDC062719B32595ED8
File Content Preview:	.ELF...........................4.........4. ...(..........................................................j.........dt.Q.............................!..\|......$H...H.6....$8!. \|...N.. .!..\|.......?..........h..../...@..\?........+../...A..$8...})......N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	107248
Section Header Size:	40
Number of Section Headers:	15
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0x13738	0x0	0x6	AX	4
.fini	PROGBITS	0x100137f0	0x137f0	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x10013810	0x13810	0x4f94	0x0	0x2	A	8
.eh_frame	PROGBITS	0x100187a4	0x187a4	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x10029000	0x19000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x10029008	0x19008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x10029010	0x19010	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x10029018	0x19018	0x458	0x0	0x3	WA	8
.sdata	PROGBITS	0x10029470	0x19470	0x40	0x0	0x3	WA	4
.sbss	NOBITS	0x100294b0	0x194b0	0xb8	0x0	0x3	WA	8
.bss	NOBITS	0x10029568	0x194b0	0x653c	0x0	0x3	WA	4
.comment	PROGBITS	0x0	0x194b0	0xdda	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x1a28a	0x63	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0x187a8	0x187a8	6.3222	0x5	R E	0x10000	.init .text .fini .rodata .eh_frame
LOAD	0x19000	0x10029000	0x10029000	0x4b0	0x6aa4	3.5129	0x6	RW	0x10000	.ctors .dtors .jcr .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 85
• 1337 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 08:27:05.641155005 CEST	52950	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:05.841433048 CEST	1337	52950	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:07.580126047 CEST	52952	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:07.783435106 CEST	1337	52952	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:10.844573021 CEST	52954	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:11.045351982 CEST	1337	52954	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:12.785670042 CEST	52956	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:12.988159895 CEST	1337	52956	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:16.047334909 CEST	52958	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:16.253302097 CEST	1337	52958	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:17.989962101 CEST	52960	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:18.193393946 CEST	1337	52960	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:21.255445004 CEST	52962	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:21.459537029 CEST	1337	52962	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:23.196026087 CEST	52964	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:23.397445917 CEST	1337	52964	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:26.461872101 CEST	52966	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:26.662625074 CEST	1337	52966	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:28.399600983 CEST	52968	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:28.601454020 CEST	1337	52968	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:31.665560961 CEST	52970	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:31.866852999 CEST	1337	52970	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:33.603811026 CEST	52972	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:33.807022095 CEST	1337	52972	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:36.869380951 CEST	52974	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:37.074172020 CEST	1337	52974	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:38.809959888 CEST	52976	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:39.011315107 CEST	1337	52976	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:42.076376915 CEST	52978	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:42.281856060 CEST	1337	52978	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:44.013602972 CEST	52980	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:44.215799093 CEST	1337	52980	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:47.284218073 CEST	52982	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:47.489614964 CEST	1337	52982	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:49.218453884 CEST	52984	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:49.422041893 CEST	1337	52984	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:52.491889954 CEST	52986	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:52.695096970 CEST	1337	52986	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:54.424210072 CEST	52988	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:54.626620054 CEST	1337	52988	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:57.697504997 CEST	52990	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:57.901278019 CEST	1337	52990	176.65.144.18	192.168.2.14
Apr 2, 2025 08:27:59.628635883 CEST	52992	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:27:59.838507891 CEST	1337	52992	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:02.903328896 CEST	52994	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:03.108382940 CEST	1337	52994	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:04.841263056 CEST	52996	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:05.044673920 CEST	1337	52996	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:08.110785961 CEST	52998	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:08.313810110 CEST	1337	52998	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:10.047209978 CEST	53000	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:10.250277996 CEST	1337	53000	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:13.315869093 CEST	53002	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:13.518080950 CEST	1337	53002	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:15.252003908 CEST	53004	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:15.451936007 CEST	1337	53004	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:18.520018101 CEST	53006	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:18.721086979 CEST	1337	53006	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:20.453651905 CEST	53008	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:20.656006098 CEST	1337	53008	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:23.722888947 CEST	53010	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:23.924834967 CEST	1337	53010	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:25.658113003 CEST	53012	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:25.858782053 CEST	1337	53012	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:28.927021980 CEST	53014	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:29.128288984 CEST	1337	53014	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:30.861242056 CEST	53016	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:31.063944101 CEST	1337	53016	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:34.130471945 CEST	53018	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:34.352961063 CEST	1337	53018	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:36.065789938 CEST	53020	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:36.270772934 CEST	1337	53020	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:39.354572058 CEST	53022	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:39.574234009 CEST	1337	53022	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:41.272521973 CEST	53024	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:41.474018097 CEST	1337	53024	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:44.575908899 CEST	53026	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:44.777955055 CEST	1337	53026	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:46.475649118 CEST	53028	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:46.678075075 CEST	1337	53028	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:49.780107975 CEST	53030	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:49.980787039 CEST	1337	53030	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:51.679538012 CEST	53032	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:51.881253004 CEST	1337	53032	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:54.983081102 CEST	53034	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:55.186336040 CEST	1337	53034	176.65.144.18	192.168.2.14
Apr 2, 2025 08:28:56.883285999 CEST	53036	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:28:57.086287022 CEST	1337	53036	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:00.188184023 CEST	53038	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:00.393172979 CEST	1337	53038	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:02.088448048 CEST	53040	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:02.295721054 CEST	1337	53040	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:05.394892931 CEST	53042	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:05.595557928 CEST	1337	53042	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:07.297744036 CEST	53044	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:07.507652044 CEST	1337	53044	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:10.596807957 CEST	53046	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:10.803155899 CEST	1337	53046	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:12.509576082 CEST	53048	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:12.717483997 CEST	1337	53048	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:15.804495096 CEST	53050	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:16.010986090 CEST	1337	53050	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:17.719335079 CEST	53052	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:17.922853947 CEST	1337	53052	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:21.012527943 CEST	53054	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:22.024215937 CEST	53054	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:22.225367069 CEST	1337	53054	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:22.924942017 CEST	53056	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:23.132227898 CEST	1337	53056	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:27.227505922 CEST	53058	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:27.429224968 CEST	1337	53058	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:28.134377956 CEST	53060	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:28.336328983 CEST	1337	53060	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:32.431395054 CEST	53062	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:32.632860899 CEST	1337	53062	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:33.338630915 CEST	53064	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:33.543373108 CEST	1337	53064	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:37.634820938 CEST	53066	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:37.834777117 CEST	1337	53066	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:38.545434952 CEST	53068	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:38.747863054 CEST	1337	53068	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:42.836935043 CEST	53070	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:43.039422989 CEST	1337	53070	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:43.750006914 CEST	53072	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:43.953921080 CEST	1337	53072	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:48.041687012 CEST	53074	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:48.248966932 CEST	1337	53074	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:48.955594063 CEST	53076	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:49.157460928 CEST	1337	53076	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:53.387166023 CEST	53078	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:53.589797020 CEST	1337	53078	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:54.159214973 CEST	53080	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:54.364088058 CEST	1337	53080	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:58.700491905 CEST	53082	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:58.903712034 CEST	1337	53082	176.65.144.18	192.168.2.14
Apr 2, 2025 08:29:59.366061926 CEST	53084	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:29:59.566909075 CEST	1337	53084	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:03.905771971 CEST	53086	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:04.107789993 CEST	1337	53086	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:04.568520069 CEST	53088	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:04.771744013 CEST	1337	53088	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:09.109946966 CEST	53090	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:09.316880941 CEST	1337	53090	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:09.773724079 CEST	53092	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:09.979935884 CEST	1337	53092	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:14.318425894 CEST	53094	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:14.522289038 CEST	1337	53094	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:14.981600046 CEST	53096	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:15.188591957 CEST	1337	53096	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:19.524014950 CEST	53098	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:19.742048979 CEST	1337	53098	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:20.190207958 CEST	53100	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:20.396405935 CEST	1337	53100	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:24.743410110 CEST	53102	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:24.946477890 CEST	1337	53102	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:25.398087025 CEST	53104	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:25.602794886 CEST	1337	53104	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:29.947915077 CEST	53106	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:30.154206038 CEST	1337	53106	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:30.604531050 CEST	53108	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:30.810424089 CEST	1337	53108	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:35.155627012 CEST	53110	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:35.360522032 CEST	1337	53110	176.65.144.18	192.168.2.14
Apr 2, 2025 08:30:35.812351942 CEST	53112	1337	192.168.2.14	176.65.144.18
Apr 2, 2025 08:30:36.014853954 CEST	1337	53112	176.65.144.18	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 08:29:50.352468967 CEST	36756	53	192.168.2.14	1.1.1.1
Apr 2, 2025 08:29:50.352468967 CEST	36305	53	192.168.2.14	1.1.1.1
Apr 2, 2025 08:29:50.455918074 CEST	53	36305	1.1.1.1	192.168.2.14
Apr 2, 2025 08:29:50.456137896 CEST	53	36756	1.1.1.1	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 08:29:50.352468967 CEST	192.168.2.14	1.1.1.1	0xa2e9	Standard query (0)	daisy.ubuntu.com	A (IP address)	IN (0x0001)	false
Apr 2, 2025 08:29:50.352468967 CEST	192.168.2.14	1.1.1.1	0xd73c	Standard query (0)	daisy.ubuntu.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 08:29:50.456137896 CEST	1.1.1.1	192.168.2.14	0xa2e9	No error (0)	daisy.ubuntu.com		162.213.35.24	A (IP address)	IN (0x0001)	false
Apr 2, 2025 08:29:50.456137896 CEST	1.1.1.1	192.168.2.14	0xa2e9	No error (0)	daisy.ubuntu.com		162.213.35.25	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: FBI.ppc.elf PID: 5490, Parent PID: 5414

General

Start time (UTC):	06:27:04
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	/tmp/FBI.ppc.elf
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

File Activities

File Opened

File Read

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5492, Parent PID: 5490

General

Start time (UTC):	06:27:04
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Process Activities

Thread Sleep

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5494, Parent PID: 5490

General

Start time (UTC):	06:27:04
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

File Activities

File Opened

Process Activities

Process Forked

Prctl Requested

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5496, Parent PID: 5494

General

Start time (UTC):	06:27:04
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

File Activities

File Opened

Process Activities

Process Forked

Prctl Requested

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5498, Parent PID: 5496

General

Start time (UTC):	06:27:04
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Process Activities

Process Forked

Thread Sleep

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5500, Parent PID: 5498

General

Start time (UTC):	06:27:04
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Process Activities

Thread Sleep

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5502, Parent PID: 5494

General

Start time (UTC):	06:27:06
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Process Activities

Process Forked

Thread Sleep

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5504, Parent PID: 5502

General

Start time (UTC):	06:27:06
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.ppc.elf
Arguments:	-
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report FBI.ppc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: FBI.ppc.elf PID: 5490, Parent PID: 5414

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.ppc.elf PID: 5492, Parent PID: 5490

General

Process Activities

Linux Analysis Report
FBI.ppc.elf