Edit tour

Linux Analysis Report
FBI.mips.elf

Overview

General Information

Sample name:FBI.mips.elf
Analysis ID:1654266
MD5:d24d393bd7562006078a32fd0cc86bb2
SHA1:c6717a98cc339c03603214c667a22664af8f1c8b
SHA256:a210d3c4077e68bf1f8d8ecabd34098352aabc14e993cff345ef58cb473420bd
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654266
Start date and time:2025-04-02 08:27:15 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FBI.mips.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0
Command:/tmp/FBI.mips.elf
PID:5521
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
FBI.mips.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    FBI.mips.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      FBI.mips.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x1c984:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1c998:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1c9ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1c9c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1c9d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1c9e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1c9fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1ca9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1cab0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1cac4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1cad8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1caec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1cb00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1cb14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      FBI.mips.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x1c934:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
      SourceRuleDescriptionAuthorStrings
      5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x1c984:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1c998:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1c9ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1c9c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1c9d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1c9e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1c9fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1ca9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1cab0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1cac4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1cad8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1caec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1cb00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1cb14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0x1c934:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
            Click to see the 30 entries
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: FBI.mips.elfAvira: detected
            Source: FBI.mips.elfVirustotal: Detection: 65%Perma Link
            Source: FBI.mips.elfReversingLabs: Detection: 63%
            Source: global trafficTCP traffic: 192.168.2.15:34418 -> 176.65.144.18:1337
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: FBI.mips.elfString found in binary or memory: http://fast.no/support/crawler.asp)
            Source: FBI.mips.elfString found in binary or memory: http://feedback.redkolibri.com/
            Source: FBI.mips.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
            Source: FBI.mips.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
            Source: FBI.mips.elfString found in binary or memory: http://www.billybobbot.com/crawler/)

            System Summary

            barindex
            Source: FBI.mips.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: FBI.mips.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5521, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5521, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5531, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5531, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5576, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.mips.elf PID: 5576, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Initial sampleString containing 'busybox' found: busybox
            Source: Initial sampleString containing 'busybox' found: BusyBox
            Source: Initial sampleString containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: FBI.mips.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: FBI.mips.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5521, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5521, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5531, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5531, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5576, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.mips.elf PID: 5576, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: submitted sampleStderr: qemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumped: exit code = 0
            Source: /tmp/FBI.mips.elf (PID: 5521)Queries kernel information via 'uname': Jump to behavior
            Source: FBI.mips.elf, 5521.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5529.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5531.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5574.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5576.1.000056049416e000.00005604941f5000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/mips
            Source: FBI.mips.elf, 5521.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5529.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5531.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5574.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5576.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmpBinary or memory string: @rx86_64/usr/bin/qemu-mips/tmp/FBI.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.mips.elf
            Source: FBI.mips.elf, 5521.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5529.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5531.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5574.1.000056049416e000.00005604941f5000.rw-.sdmp, FBI.mips.elf, 5576.1.000056049416e000.00005604941f5000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
            Source: FBI.mips.elf, 5521.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5529.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5531.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5574.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5576.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
            Source: FBI.mips.elf, 5529.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5531.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5574.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmp, FBI.mips.elf, 5576.1.00007ffcd9810000.00007ffcd9831000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 8 (Floating point exception) - core dumped

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: FBI.mips.elf, type: SAMPLE
            Source: Yara matchFile source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.mips.elf, type: SAMPLE
            Source: Yara matchFile source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5521, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5529, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5531, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5574, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5576, type: MEMORYSTR
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
            Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
            Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: FBI.mips.elf, type: SAMPLE
            Source: Yara matchFile source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.mips.elf, type: SAMPLE
            Source: Yara matchFile source: 5576.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5531.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5574.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5521.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5529.1.00007f5c0c400000.00007f5c0c420000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5521, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5529, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5531, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5574, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.mips.elf PID: 5576, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Data Obfuscation
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Application Layer Protocol
            Traffic DuplicationData Destruction
            No configs have been found
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654266 Sample: FBI.mips.elf Startdate: 02/04/2025 Architecture: LINUX Score: 80 26 176.65.144.18, 1337, 34418, 34420 PALTEL-ASPALTELAutonomousSystemPS Germany 2->26 28 daisy.ubuntu.com 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 10 FBI.mips.elf 2->10         started        signatures3 process4 process5 12 FBI.mips.elf 10->12         started        14 FBI.mips.elf 10->14         started        process6 16 FBI.mips.elf 12->16         started        18 FBI.mips.elf 12->18         started        process7 20 FBI.mips.elf 16->20         started        22 FBI.mips.elf 18->22         started        process8 24 FBI.mips.elf 20->24         started       

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            FBI.mips.elf66%VirustotalBrowse
            FBI.mips.elf64%ReversingLabsLinux.Backdoor.Gafgyt
            FBI.mips.elf100%AviraEXP/ELF.Mirai.Z
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            162.213.35.25
            truefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.baidu.com/search/spider.html)FBI.mips.elffalse
                high
                http://www.billybobbot.com/crawler/)FBI.mips.elffalse
                  high
                  http://fast.no/support/crawler.asp)FBI.mips.elffalse
                    high
                    http://feedback.redkolibri.com/FBI.mips.elffalse
                      high
                      http://www.baidu.com/search/spider.htm)FBI.mips.elffalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        176.65.144.18
                        unknownGermany
                        12975PALTEL-ASPALTELAutonomousSystemPSfalse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        176.65.144.18FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                          FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                            FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              daisy.ubuntu.comFBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 162.213.35.24
                              FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 162.213.35.24
                              mpsl.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              arm6.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              rjfe686.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              arm.elfGet hashmaliciousMiraiBrowse
                              • 162.213.35.25
                              efefa7.elfGet hashmaliciousMiraiBrowse
                              • 162.213.35.24
                              arm7.elfGet hashmaliciousMiraiBrowse
                              • 162.213.35.24
                              weje64.elfGet hashmaliciousUnknownBrowse
                              • 162.213.35.25
                              na.elfGet hashmaliciousPrometeiBrowse
                              • 162.213.35.24
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              PALTEL-ASPALTELAutonomousSystemPSFBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 176.65.144.18
                              FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 176.65.144.18
                              FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                              • 176.65.144.18
                              clip64.dllGet hashmaliciousAmadeyBrowse
                              • 176.65.137.193
                              clip64.dllGet hashmaliciousAmadeyBrowse
                              • 176.65.137.193
                              cred64.dll.dllGet hashmaliciousAmadeyBrowse
                              • 176.65.137.193
                              gLLOqKC.exeGet hashmaliciousAmadeyBrowse
                              • 176.65.137.193
                              boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                              • 176.65.137.13
                              boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                              • 176.65.137.13
                              boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                              • 176.65.137.13
                              No context
                              No context
                              No created / dropped files found
                              File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                              Entropy (8bit):5.5657792571427676
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:FBI.mips.elf
                              File size:148'064 bytes
                              MD5:d24d393bd7562006078a32fd0cc86bb2
                              SHA1:c6717a98cc339c03603214c667a22664af8f1c8b
                              SHA256:a210d3c4077e68bf1f8d8ecabd34098352aabc14e993cff345ef58cb473420bd
                              SHA512:891862f89b8232b1921e5fc7afc8ccd1f0d1e389c45da8e37160d010bbebb5bc35ac8447da7bac5c39aba8f9d59f3e81895e12d6159ef7dae096d5d89266d26a
                              SSDEEP:3072:F7iL2tEmEh02tKMMHqVtevuAawqIcq88Ek32oQKqqc5hspZC:F7iJmEh02tKMMHqVtevo+Z3Bbzq95hWC
                              TLSH:5EE3971A7E21DF7FF559823047B38E30969836E636E18585F26CE6481E7138E241FBE4
                              File Content Preview:.ELF.....................@.....4..?h.....4. ...(....p........@...@...........................@...@...........................E...E........vx........dt.Q.................................................F.P<...'......!'.......................<...'..`...!...

                              ELF header

                              Class:ELF32
                              Data:2's complement, big endian
                              Version:1 (current)
                              Machine:MIPS R3000
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:UNIX - System V
                              ABI Version:0
                              Entry Point Address:0x4002a0
                              Flags:0x1007
                              ELF Header Size:52
                              Program Header Offset:52
                              Program Header Size:32
                              Number of Program Headers:4
                              Section Header Offset:147304
                              Section Header Size:40
                              Number of Section Headers:19
                              Header String Table Index:18
                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                              NULL0x00x00x00x00x0000
                              .reginfoMIPS_REGINFO0x4000b40xb40x180x180x2A004
                              .initPROGBITS0x4000cc0xcc0x8c0x00x6AX004
                              .textPROGBITS0x4001600x1600x1aa300x00x6AX0016
                              .finiPROGBITS0x41ab900x1ab900x5c0x00x6AX004
                              .rodataPROGBITS0x41abf00x1abf00x4c080x00x2A0016
                              .eh_framePROGBITS0x41f7f80x1f7f80x40x00x2A004
                              .ctorsPROGBITS0x45f7fc0x1f7fc0x80x00x3WA004
                              .dtorsPROGBITS0x45f8040x1f8040x80x00x3WA004
                              .jcrPROGBITS0x45f80c0x1f80c0x40x00x3WA004
                              .data.rel.roPROGBITS0x45f8100x1f8100x4f40x00x3WA004
                              .dataPROGBITS0x45fd100x1fd100x5500x00x3WA0016
                              .gotPROGBITS0x4602600x202600x5a40x40x10000003WAp0016
                              .sbssNOBITS0x4608040x208040x240x00x10000003WAp004
                              .bssNOBITS0x4608300x208040x66440x00x3WA0016
                              .commentPROGBITS0x00x208040xdb60x00x0001
                              .mdebug.abi32PROGBITS0xdb60x215ba0x00x00x0001
                              .pdrPROGBITS0x00x215bc0x29200x00x0004
                              .shstrtabSTRTAB0x00x23edc0x8a0x00x0001
                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              <unknown>0xb40x4000b40x4000b40x180x180.98340x4R 0x4.reginfo
                              LOAD0x00x4000000x4000000x1f7fc0x1f7fc5.67790x5R E0x10000.reginfo .init .text .fini .rodata .eh_frame
                              LOAD0x1f7fc0x45f7fc0x45f7fc0x10080x76784.43320x6RW 0x10000.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
                              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                              Download Network PCAP: filteredfull

                              • Total Packets: 85
                              • 1337 undefined
                              • 53 (DNS)
                              TimestampSource PortDest PortSource IPDest IP
                              Apr 2, 2025 08:27:57.101576090 CEST344181337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:27:57.306934118 CEST133734418176.65.144.18192.168.2.15
                              Apr 2, 2025 08:27:59.149692059 CEST344201337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:27:59.355518103 CEST133734420176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:02.322865009 CEST344221337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:02.528698921 CEST133734422176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:04.359615088 CEST344241337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:04.568799973 CEST133734424176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:07.530503035 CEST344261337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:07.736375093 CEST133734426176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:09.571286917 CEST344281337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:09.775999069 CEST133734428176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:12.739218950 CEST344301337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:12.947195053 CEST133734430176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:14.779609919 CEST344321337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:14.982969999 CEST133734432176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:17.951219082 CEST344341337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:18.160398006 CEST133734434176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:19.987181902 CEST344361337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:20.188627005 CEST133734436176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:23.163990974 CEST344381337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:23.365118980 CEST133734438176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:25.192147017 CEST344401337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:25.393397093 CEST133734440176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:28.369034052 CEST344421337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:28.571856976 CEST133734442176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:30.396068096 CEST344441337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:30.602097988 CEST133734444176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:33.575052977 CEST344461337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:33.777189970 CEST133734446176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:35.605261087 CEST344481337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:35.806447029 CEST133734448176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:38.780333996 CEST344501337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:38.980920076 CEST133734450176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:40.810064077 CEST344521337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:41.011478901 CEST133734452176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:43.983937979 CEST344541337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:44.187122107 CEST133734454176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:46.014766932 CEST344561337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:46.223901987 CEST133734456176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:49.190371037 CEST344581337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:49.400111914 CEST133734458176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:51.226830959 CEST344601337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:51.428352118 CEST133734460176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:54.402988911 CEST344621337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:54.606055975 CEST133734462176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:56.431238890 CEST344641337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:56.637048960 CEST133734464176.65.144.18192.168.2.15
                              Apr 2, 2025 08:28:59.608695030 CEST344661337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:28:59.811471939 CEST133734466176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:01.639319897 CEST344681337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:01.844324112 CEST133734468176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:04.813661098 CEST344701337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:05.019340992 CEST133734470176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:06.846232891 CEST344721337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:07.054027081 CEST133734472176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:10.022224903 CEST344741337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:10.224309921 CEST133734474176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:12.055943966 CEST344761337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:12.260658026 CEST133734476176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:15.226890087 CEST344781337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:15.431576014 CEST133734478176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:17.263725042 CEST344801337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:17.466866016 CEST133734480176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:20.434875011 CEST344821337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:20.638323069 CEST133734482176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:22.470844030 CEST344841337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:22.674149036 CEST133734484176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:25.641587019 CEST344861337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:25.853905916 CEST133734486176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:27.677738905 CEST344881337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:27.880445004 CEST133734488176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:30.856910944 CEST344901337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:31.061826944 CEST133734490176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:32.883959055 CEST344921337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:33.087932110 CEST133734492176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:36.065022945 CEST344941337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:36.270241976 CEST133734494176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:38.091964960 CEST344961337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:38.293790102 CEST133734496176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:41.272967100 CEST344981337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:41.473608971 CEST133734498176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:43.296768904 CEST345001337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:43.499304056 CEST133734500176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:46.476953030 CEST345021337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:46.683963060 CEST133734502176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:48.502729893 CEST345041337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:48.708014965 CEST133734504176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:51.687012911 CEST345061337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:51.892365932 CEST133734506176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:53.711354017 CEST345081337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:53.916431904 CEST133734508176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:56.895267963 CEST345101337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:57.096306086 CEST133734510176.65.144.18192.168.2.15
                              Apr 2, 2025 08:29:58.919469118 CEST345121337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:29:59.131376982 CEST133734512176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:02.098592997 CEST345141337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:02.303040981 CEST133734514176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:04.134361029 CEST345161337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:04.334173918 CEST133734516176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:07.305708885 CEST345181337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:07.509789944 CEST133734518176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:09.336724997 CEST345201337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:09.542673111 CEST133734520176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:12.512898922 CEST345221337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:12.718076944 CEST133734522176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:14.545598984 CEST345241337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:14.747821093 CEST133734524176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:17.721345901 CEST345261337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:17.929600954 CEST133734526176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:19.750803947 CEST345281337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:19.957118034 CEST133734528176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:22.931623936 CEST345301337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:23.138899088 CEST133734530176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:24.959680080 CEST345321337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:25.163459063 CEST133734532176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:28.140737057 CEST345341337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:28.342426062 CEST133734534176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:30.165707111 CEST345361337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:30.374027967 CEST133734536176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:33.344852924 CEST345381337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:33.548132896 CEST133734538176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:35.377243996 CEST345401337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:35.585431099 CEST133734540176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:38.551018953 CEST345421337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:38.756165028 CEST133734542176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:40.588799000 CEST345441337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:40.808339119 CEST133734544176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:43.758997917 CEST345461337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:43.962385893 CEST133734546176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:45.811031103 CEST345481337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:46.015610933 CEST133734548176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:48.964894056 CEST345501337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:49.167853117 CEST133734550176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:51.017431974 CEST345521337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:51.223486900 CEST133734552176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:54.170248985 CEST345541337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:54.375963926 CEST133734554176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:56.226278067 CEST345561337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:56.429421902 CEST133734556176.65.144.18192.168.2.15
                              Apr 2, 2025 08:30:59.378376007 CEST345581337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:30:59.583018064 CEST133734558176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:01.432234049 CEST345601337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:01.640477896 CEST133734560176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:04.585660934 CEST345621337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:04.789858103 CEST133734562176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:06.642719984 CEST345641337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:06.848927975 CEST133734564176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:09.792921066 CEST345661337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:09.999087095 CEST133734566176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:11.851234913 CEST345681337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:12.055175066 CEST133734568176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:15.000633001 CEST345701337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:15.207992077 CEST133734570176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:17.056826115 CEST345721337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:17.259242058 CEST133734572176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:20.210237026 CEST345741337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:20.411976099 CEST133734574176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:22.261460066 CEST345761337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:22.466021061 CEST133734576176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:25.414464951 CEST345781337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:25.619304895 CEST133734578176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:27.468760967 CEST345801337192.168.2.15176.65.144.18
                              Apr 2, 2025 08:31:27.675060034 CEST133734580176.65.144.18192.168.2.15
                              Apr 2, 2025 08:31:30.622216940 CEST345821337192.168.2.15176.65.144.18
                              TimestampSource PortDest PortSource IPDest IP
                              Apr 2, 2025 08:27:57.875659943 CEST4820853192.168.2.158.8.8.8
                              Apr 2, 2025 08:27:57.875763893 CEST4455053192.168.2.158.8.8.8
                              Apr 2, 2025 08:27:57.972378969 CEST53445508.8.8.8192.168.2.15
                              Apr 2, 2025 08:27:57.973716021 CEST53482088.8.8.8192.168.2.15
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 2, 2025 08:27:57.875659943 CEST192.168.2.158.8.8.80xbeefStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                              Apr 2, 2025 08:27:57.875763893 CEST192.168.2.158.8.8.80x43d6Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 2, 2025 08:27:57.973716021 CEST8.8.8.8192.168.2.150xbeefNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                              Apr 2, 2025 08:27:57.973716021 CEST8.8.8.8192.168.2.150xbeefNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                              System Behavior

                              Start time (UTC):06:27:56
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:/tmp/FBI.mips.elf
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:56
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:56
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:56
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:56
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:56
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:58
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                              Start time (UTC):06:27:58
                              Start date (UTC):02/04/2025
                              Path:/tmp/FBI.mips.elf
                              Arguments:-
                              File size:5777432 bytes
                              MD5 hash:0083f1f0e77be34ad27f849842bbb00c