Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
FBI.arm7.elf

Overview

General Information

Sample name:FBI.arm7.elf
Analysis ID:1654267
MD5:378b09df9a9968c82244c20384a08273
SHA1:d0aa9090227d5925eb4111fdc4d37311fbb25e47
SHA256:7d86d8a3c9db41dff194c8183ddab9e662cb990aefdd3ffdd8109d3eb13a474a
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads system version information
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654267
Start date and time:2025-04-02 08:30:18 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FBI.arm7.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@3/0

Runtime Messages

Command:/tmp/FBI.arm7.elf
PID:5709
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped
qemu: uncaught target signal 8 (Floating point exception) - core dumped

Process Tree

  • system is lnxubuntu20
  • systemd New Fork (PID: 5789, Parent: 1)
  • snap-failure (PID: 5789, Parent: 1, MD5: 69136a7d575731ce62349f2e4d3e5c36) Arguments: /usr/lib/snapd/snap-failure snapd
    • systemctl (PID: 5803, Parent: 5789, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop snapd.socket
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
FBI.arm7.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    FBI.arm7.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      FBI.arm7.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x1b47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b4f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b51c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b56c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b580:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b594:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b5a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b5bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b5d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b5e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b5f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1b60c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      FBI.arm7.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x1b42c:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x1b47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b4e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b4f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b508:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b51c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b530:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b544:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b558:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b56c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b580:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b594:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b5a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b5bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b5d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b5e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b5f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1b60c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0x1b42c:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
            Click to see the 37 entries

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            • AV Detection
            • Networking
            • System Summary
            • Persistence and Installation Behavior
            • Malware Analysis System Evasion
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: FBI.arm7.elfAvira: detected
            Source: FBI.arm7.elfVirustotal: Detection: 63%Perma Link
            Source: FBI.arm7.elfReversingLabs: Detection: 63%
            Source: global trafficTCP traffic: 192.168.2.13:33840 -> 176.65.144.18:1337
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: FBI.arm7.elfString found in binary or memory: http://fast.no/support/crawler.asp)
            Source: FBI.arm7.elfString found in binary or memory: http://feedback.redkolibri.com/
            Source: FBI.arm7.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
            Source: FBI.arm7.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
            Source: FBI.arm7.elfString found in binary or memory: http://www.billybobbot.com/crawler/)

            System Summary

            barindex
            Source: FBI.arm7.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: FBI.arm7.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5709, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5709, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5711, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5711, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5717, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5717, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5719, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5719, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5748, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5748, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5750, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm7.elf PID: 5750, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Initial sampleString containing 'busybox' found: busybox
            Source: Initial sampleString containing 'busybox' found: BusyBox
            Source: Initial sampleString containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: FBI.arm7.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: FBI.arm7.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5709, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5709, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5711, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5711, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5717, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5717, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5719, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5719, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5748, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5748, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5750, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm7.elf PID: 5750, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: classification engineClassification label: mal80.troj.linELF@0/0@3/0
            Source: /usr/lib/snapd/snap-failure (PID: 5803)Systemctl executable: /usr/bin/systemctl -> systemctl stop snapd.socketJump to behavior
            Source: /usr/lib/snapd/snap-failure (PID: 5789)Reads version info: /proc/versionJump to behavior
            Source: submitted sampleStderr: qemu: uncaught target signal 11 (Segmentation fault) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumped: exit code = 0
            Source: /tmp/FBI.arm7.elf (PID: 5709)Queries kernel information via 'uname': Jump to behavior
            Source: FBI.arm7.elf, 5709.1.000055f347859000.000055f3479ab000.rw-.sdmp, FBI.arm7.elf, 5711.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5717.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5719.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5748.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5750.1.000055f347859000.000055f347987000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: FBI.arm7.elf, 5709.1.000055f347859000.000055f3479ab000.rw-.sdmp, FBI.arm7.elf, 5711.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5717.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5719.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5748.1.000055f347859000.000055f347987000.rw-.sdmp, FBI.arm7.elf, 5750.1.000055f347859000.000055f347987000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: FBI.arm7.elf, 5709.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5711.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5717.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5719.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5748.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5750.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: FBI.arm7.elf, 5717.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5719.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5748.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5750.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 8 (Floating point exception) - core dumped
            Source: FBI.arm7.elf, 5711.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
            Source: FBI.arm7.elf, 5709.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5711.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5717.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5719.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5748.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmp, FBI.arm7.elf, 5750.1.00007ffef7ff1000.00007ffef8012000.rw-.sdmpBinary or memory string: {x86_64/usr/bin/qemu-arm/tmp/FBI.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.arm7.elf

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: FBI.arm7.elf, type: SAMPLE
            Source: Yara matchFile source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.arm7.elf, type: SAMPLE
            Source: Yara matchFile source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5709, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5711, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5717, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5719, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5748, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5750, type: MEMORYSTR
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
            Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
            Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: FBI.arm7.elf, type: SAMPLE
            Source: Yara matchFile source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.arm7.elf, type: SAMPLE
            Source: Yara matchFile source: 5748.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5719.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5709.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5711.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5717.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5750.1.00007fd9dc017000.00007fd9dc036000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5709, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5711, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5717, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5719, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5748, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm7.elf PID: 5750, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            Systemd Service            		1
            Systemd Service            		Direct Volume AccessOS Credential Dumping11
            Security Software Discovery            		Remote ServicesData from Local System1
            Data Obfuscation            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
            System Information Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654267 Sample: FBI.arm7.elf Startdate: 02/04/2025 Architecture: LINUX Score: 80 32 176.65.144.18, 1337, 33840, 33842 PALTEL-ASPALTELAutonomousSystemPS Germany 2->32 34 daisy.ubuntu.com 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 2 other signatures 2->42 10 FBI.arm7.elf 2->10         started        12 systemd snap-failure 2->12         started        signatures3 process4 process5 14 FBI.arm7.elf 10->14         started        16 FBI.arm7.elf 10->16         started        18 snap-failure systemctl 12->18         started        20 snap-failure 12->20         started        process6 22 FBI.arm7.elf 14->22         started        24 FBI.arm7.elf 14->24         started        process7 26 FBI.arm7.elf 22->26         started        28 FBI.arm7.elf 24->28         started        process8 30 FBI.arm7.elf 26->30         started       

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            FBI.arm7.elf63%VirustotalBrowse
            FBI.arm7.elf64%ReversingLabsLinux.Trojan.Gafgyt
            FBI.arm7.elf100%AviraEXP/ELF.Mirai.Z

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            		162.213.35.25
            		truefalse
              		high
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.baidu.com/search/spider.html)FBI.arm7.elffalse
                		high
                http://www.billybobbot.com/crawler/)FBI.arm7.elffalse
                  		high
                  http://fast.no/support/crawler.asp)FBI.arm7.elffalse
                    		high
                    http://feedback.redkolibri.com/FBI.arm7.elffalse
                      		high
                      http://www.baidu.com/search/spider.htm)FBI.arm7.elffalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        176.65.144.18
                        		unknownGermany
                        		12975PALTEL-ASPALTELAutonomousSystemPSfalse

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        176.65.144.18FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                          FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                            FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                              FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                daisy.ubuntu.comFBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 162.213.35.25
                                FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 162.213.35.24
                                FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 162.213.35.24
                                mpsl.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                arm6.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                rjfe686.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25
                                arm.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.25
                                efefa7.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.24
                                arm7.elfGet hashmaliciousMiraiBrowse
                                • 162.213.35.24
                                weje64.elfGet hashmaliciousUnknownBrowse
                                • 162.213.35.25

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                PALTEL-ASPALTELAutonomousSystemPSFBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 176.65.144.18
                                FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 176.65.144.18
                                FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 176.65.144.18
                                FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 176.65.144.18
                                clip64.dllGet hashmaliciousAmadeyBrowse
                                • 176.65.137.193
                                clip64.dllGet hashmaliciousAmadeyBrowse
                                • 176.65.137.193
                                cred64.dll.dllGet hashmaliciousAmadeyBrowse
                                • 176.65.137.193
                                gLLOqKC.exeGet hashmaliciousAmadeyBrowse
                                • 176.65.137.193
                                boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                • 176.65.137.13
                                boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                • 176.65.137.13

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                                Entropy (8bit):6.260684471250833
                                TrID:
                                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                File name:FBI.arm7.elf
                                File size:129'968 bytes
                                MD5:378b09df9a9968c82244c20384a08273
                                SHA1:d0aa9090227d5925eb4111fdc4d37311fbb25e47
                                SHA256:7d86d8a3c9db41dff194c8183ddab9e662cb990aefdd3ffdd8109d3eb13a474a
                                SHA512:ea45a1eecbafbb2e0e427d3bceb111803b2b7aed23e873460243af18f5e592cb79030262f99273819cb746920ac888d940514de78b61d08d852f8abd574fc53e
                                SSDEEP:3072:96na6nlJosoawDh6iNwaVBgqO7sCk3Xr5h/pc1n:9Sa6nlesoawF6iNwaLgYCk375ha1n
                                TLSH:14C32917F9419F42C1C325BAFB8E964933136FF8E3EB7102D9249F60278699B0E76941
                                File Content Preview:.ELF..............(.........4...........4. ...(........ph...hd..hd.. ... ........................................................... ....w..........................................Q.td..................................-...L..................G.F.G.F.G.F.G.

                                Static ELF Info

                                ELF header

                                Class:ELF32
                                Data:2's complement, little endian
                                Version:1 (current)
                                Machine:ARM
                                Version Number:0x1
                                Type:EXEC (Executable file)
                                OS/ABI:UNIX - System V
                                ABI Version:0
                                Entry Point Address:0x81d0
                                Flags:0x4000002
                                ELF Header Size:52
                                Program Header Offset:52
                                Program Header Size:32
                                Number of Program Headers:5
                                Section Header Offset:129208
                                Section Header Size:40
                                Number of Section Headers:19
                                Header String Table Index:18

                                Sections

                                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                NULL0x00x00x00x00x0000
                                .initPROGBITS0x80d40xd40x100x00x6AX004
                                .textPROGBITS0x80f00xf00x195ec0x00x6AX0016
                                .finiPROGBITS0x216dc0x196dc0x100x00x6AX004
                                .rodataPROGBITS0x216f00x196f00x4d600x00x2A008
                                .ARM.extabPROGBITS0x264500x1e4500x180x00x2A004
                                .ARM.exidxARM_EXIDX0x264680x1e4680x1200x00x82AL204
                                .eh_framePROGBITS0x2e5880x1e5880x40x00x3WA004
                                .tbssNOBITS0x2e58c0x1e58c0x80x00x403WAT004
                                .init_arrayINIT_ARRAY0x2e58c0x1e58c0x40x00x3WA004
                                .fini_arrayFINI_ARRAY0x2e5900x1e5900x40x00x3WA004
                                .jcrPROGBITS0x2e5940x1e5940x40x00x3WA004
                                .data.rel.roPROGBITS0x2e5980x1e5980x180x00x3WA004
                                .gotPROGBITS0x2e5b00x1e5b00xb80x40x3WA004
                                .dataPROGBITS0x2e6680x1e6680x3400x00x3WA004
                                .bssNOBITS0x2e9a80x1e9a80x73c00x00x3WA008
                                .commentPROGBITS0x00x1e9a80xe5c0x00x0001
                                .ARM.attributesARM_ATTRIBUTES0x00x1f8040x160x00x0001
                                .shstrtabSTRTAB0x00x1f81a0x9e0x00x0001

                                Program Segments

                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                EXIDX0x1e4680x264680x264680x1200x1204.53610x4R 0x4.ARM.exidx
                                LOAD0x00x80000x80000x1e5880x1e5886.24810x5R E0x8000.init .text .fini .rodata .ARM.extab .ARM.exidx
                                LOAD0x1e5880x2e5880x2e5880x4200x77e04.22450x6RW 0x8000.eh_frame .tbss .init_array .fini_array .jcr .data.rel.ro .got .data .bss
                                TLS0x1e58c0x2e58c0x2e58c0x00x80.00000x4R 0x4.tbss
                                GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                Network Behavior

                                Download Network PCAP: filteredfull

                                Network Port Distribution

                                • Total Packets: 59
                                • 1337 undefined
                                • 53 (DNS)
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 2, 2025 08:31:55.952306032 CEST338401337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:31:56.154722929 CEST133733840176.65.144.18192.168.2.13
                                Apr 2, 2025 08:31:57.835736990 CEST338421337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:31:58.039297104 CEST133733842176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:01.157241106 CEST338441337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:01.364183903 CEST133733844176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:02.923074007 CEST3480653192.168.2.138.8.8.8
                                Apr 2, 2025 08:32:03.016726017 CEST53348068.8.8.8192.168.2.13
                                Apr 2, 2025 08:32:03.016840935 CEST3480653192.168.2.138.8.8.8
                                Apr 2, 2025 08:32:03.016840935 CEST3480653192.168.2.138.8.8.8
                                Apr 2, 2025 08:32:03.045532942 CEST338481337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:03.109834909 CEST53348068.8.8.8192.168.2.13
                                Apr 2, 2025 08:32:03.109858036 CEST53348068.8.8.8192.168.2.13
                                Apr 2, 2025 08:32:03.109950066 CEST3480653192.168.2.138.8.8.8
                                Apr 2, 2025 08:32:03.251539946 CEST133733848176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:05.110707045 CEST53348068.8.8.8192.168.2.13
                                Apr 2, 2025 08:32:05.111022949 CEST3480653192.168.2.138.8.8.8
                                Apr 2, 2025 08:32:05.204587936 CEST53348068.8.8.8192.168.2.13
                                Apr 2, 2025 08:32:06.366365910 CEST338501337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:06.575836897 CEST133733850176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:08.253846884 CEST338521337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:09.282469034 CEST338521337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:09.485014915 CEST133733852176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:11.578757048 CEST338541337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:11.781352043 CEST133733854176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:14.488671064 CEST338561337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:14.693958044 CEST133733856176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:16.784213066 CEST338581337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:16.987251997 CEST133733858176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:19.696657896 CEST338601337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:19.902884007 CEST133733860176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:21.991225958 CEST338621337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:22.192692041 CEST133733862176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:24.905704975 CEST338641337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:25.110260010 CEST133733864176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:27.195697069 CEST338661337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:27.395615101 CEST133733866176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:30.113235950 CEST338681337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:30.319171906 CEST133733868176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:32.399178028 CEST338701337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:32.600636959 CEST133733870176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:35.321360111 CEST338721337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:35.524065018 CEST133733872176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:37.603188992 CEST338741337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:37.806546926 CEST133733874176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:40.528832912 CEST338761337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:40.732161045 CEST133733876176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:42.809113026 CEST338781337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:43.014406919 CEST133733878176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:45.734280109 CEST338801337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:45.941838026 CEST133733880176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:48.017702103 CEST338821337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:48.219129086 CEST133733882176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:50.944508076 CEST338841337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:51.150919914 CEST133733884176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:53.222870111 CEST338861337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:53.427386045 CEST133733886176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:56.153346062 CEST338881337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:56.360640049 CEST133733888176.65.144.18192.168.2.13
                                Apr 2, 2025 08:32:58.430039883 CEST338901337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:32:58.633697033 CEST133733890176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:01.363116980 CEST338921337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:01.569765091 CEST133733892176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:03.636519909 CEST338941337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:03.843923092 CEST133733894176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:06.572329998 CEST338961337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:06.774488926 CEST133733896176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:08.846873045 CEST338981337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:09.053648949 CEST133733898176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:11.776556015 CEST339001337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:11.983728886 CEST133733900176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:14.056488037 CEST339021337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:14.262451887 CEST133733902176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:16.986232042 CEST339041337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:17.192358017 CEST133733904176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:19.265249014 CEST339061337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:19.468583107 CEST133733906176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:22.195203066 CEST339081337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:22.401829004 CEST133733908176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:24.471024036 CEST339101337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:24.672873020 CEST133733910176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:27.404328108 CEST339121337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:27.607817888 CEST133733912176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:29.675515890 CEST339141337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:29.881536007 CEST133733914176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:32.609652042 CEST339161337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:32.818730116 CEST133733916176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:34.884450912 CEST339181337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:35.088314056 CEST133733918176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:37.820892096 CEST339201337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:38.022183895 CEST133733920176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:40.091552973 CEST339221337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:40.299998999 CEST133733922176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:43.024741888 CEST339241337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:43.228147984 CEST133733924176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:45.303045034 CEST339261337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:45.511409044 CEST133733926176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:48.230758905 CEST339281337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:48.434109926 CEST133733928176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:50.514578104 CEST339301337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:50.717905998 CEST133733930176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:53.436748028 CEST339321337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:53.640410900 CEST133733932176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:55.720932961 CEST339341337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:55.924833059 CEST133733934176.65.144.18192.168.2.13
                                Apr 2, 2025 08:33:58.642484903 CEST339361337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:33:58.850847960 CEST133733936176.65.144.18192.168.2.13
                                Apr 2, 2025 08:34:00.927551031 CEST339381337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:34:01.132467031 CEST133733938176.65.144.18192.168.2.13
                                Apr 2, 2025 08:34:03.853178978 CEST339401337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:34:04.866986990 CEST339401337192.168.2.13176.65.144.18
                                Apr 2, 2025 08:34:05.071310043 CEST133733940176.65.144.18192.168.2.13
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 2, 2025 08:31:57.916218042 CEST4256553192.168.2.131.1.1.1
                                Apr 2, 2025 08:31:57.916280985 CEST4019253192.168.2.131.1.1.1
                                Apr 2, 2025 08:31:58.019570112 CEST53425651.1.1.1192.168.2.13

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 2, 2025 08:31:57.916218042 CEST192.168.2.131.1.1.10xb4ceStandard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                Apr 2, 2025 08:31:57.916280985 CEST192.168.2.131.1.1.10xf87fStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                                Apr 2, 2025 08:32:03.016840935 CEST192.168.2.138.8.8.80xf87fStandard query (0)daisy.ubuntu.com28IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 2, 2025 08:31:58.019570112 CEST1.1.1.1192.168.2.130xb4ceNo error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                                Apr 2, 2025 08:31:58.019570112 CEST1.1.1.1192.168.2.130xb4ceNo error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                                System Behavior

                                General

                                Start time (UTC):06:31:55
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:/tmp/FBI.arm7.elf
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                File Activities

                                Process Activities

                                System Activities

                                Network Activities


                                General

                                Start time (UTC):06:31:55
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                Process Activities


                                General

                                Start time (UTC):06:31:55
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                File Activities

                                Process Activities

                                Network Activities


                                General

                                Start time (UTC):06:31:55
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                File Activities

                                Process Activities

                                Network Activities


                                General

                                Start time (UTC):06:31:55
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                Process Activities


                                General

                                Start time (UTC):06:31:55
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                Process Activities


                                General

                                Start time (UTC):06:31:57
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                Process Activities


                                General

                                Start time (UTC):06:31:57
                                Start date (UTC):02/04/2025
                                Path:/tmp/FBI.arm7.elf
                                Arguments:-
                                File size:4956856 bytes
                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                Process Activities


                                General

                                Start time (UTC):06:32:34
                                Start date (UTC):02/04/2025
                                Path:/usr/lib/systemd/systemd
                                Arguments:-
                                File size:1620224 bytes
                                MD5 hash:9b2bec7092a40488108543f9334aab75

                                Process Activities


                                General

                                Start time (UTC):06:32:34
                                Start date (UTC):02/04/2025
                                Path:/usr/lib/snapd/snap-failure
                                Arguments:/usr/lib/snapd/snap-failure snapd
                                File size:4764904 bytes
                                MD5 hash:69136a7d575731ce62349f2e4d3e5c36

                                File Activities

                                Process Activities


                                General

                                Start time (UTC):06:32:34
                                Start date (UTC):02/04/2025
                                Path:/usr/lib/snapd/snap-failure
                                Arguments:-
                                File size:4764904 bytes
                                MD5 hash:69136a7d575731ce62349f2e4d3e5c36

                                Process Activities


                                General

                                Start time (UTC):06:32:34
                                Start date (UTC):02/04/2025
                                Path:/usr/bin/systemctl
                                Arguments:systemctl stop snapd.socket
                                File size:996584 bytes
                                MD5 hash:4deddfb6741481f68aeac522cc26ff4b

                                File Activities

                                Network Activities


                                General

                                Start time (UTC):06:32:34
                                Start date (UTC):02/04/2025
                                Path:/usr/lib/snapd/snap-failure
                                Arguments:-
                                File size:4764904 bytes
                                MD5 hash:69136a7d575731ce62349f2e4d3e5c36

                                Process Activities