Linux
Analysis Report
FBI.x86.elf
Overview
General Information
Sample name: | FBI.x86.elf |
Analysis ID: | 1654268 |
MD5: | ed5d64cc0407dfb432e9216ba6432828 |
SHA1: | 52a92e6851041b6c6c9afb6a1f2844231b8bed27 |
SHA256: | 61346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380 |
Tags: | elfuser-abuse_ch |
Infos: |
Detection
Gafgyt, Mirai
Score: | 80 |
Range: | 0 - 100 |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Yara signature match
Classification
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1654268 |
Start date and time: | 2025-04-02 08:30:44 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 58s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11) |
Analysis Mode: | default |
Sample name: | FBI.x86.elf |
Detection: | MAL |
Classification: | mal80.troj.linELF@0/0@0/0 |
Command: | /tmp/FBI.x86.elf |
PID: | 6258 |
Exit Code: | 0 |
Exit Code Info: | |
Killed: | False |
Standard Output: | |
Standard Error: |
- system is lnxubuntu20
- FBI.x86.elf New Fork (PID: 6259, Parent: 6258)
- FBI.x86.elf New Fork (PID: 6260, Parent: 6258)
- FBI.x86.elf New Fork (PID: 6261, Parent: 6260)
- FBI.x86.elf New Fork (PID: 6262, Parent: 6261)
- FBI.x86.elf New Fork (PID: 6264, Parent: 6262)
- FBI.x86.elf New Fork (PID: 6285, Parent: 6260)
- FBI.x86.elf New Fork (PID: 6286, Parent: 6285)
- dash New Fork (PID: 6341, Parent: 4331)
- dash New Fork (PID: 6342, Parent: 4331)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Bashlite, Gafgyt | Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Mirai | Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Gafgyt | Yara detected Gafgyt | Joe Security | ||
JoeSecurity_Mirai_8 | Yara detected Mirai | Joe Security | ||
Linux_Trojan_Gafgyt_28a2fe0c | unknown | unknown |
| |
Linux_Trojan_Gafgyt_ea92cca8 | unknown | unknown |
| |
Linux_Trojan_Mirai_389ee3e9 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Gafgyt | Yara detected Gafgyt | Joe Security | ||
JoeSecurity_Mirai_8 | Yara detected Mirai | Joe Security | ||
Linux_Trojan_Gafgyt_28a2fe0c | unknown | unknown |
| |
Linux_Trojan_Gafgyt_ea92cca8 | unknown | unknown |
| |
Linux_Trojan_Mirai_389ee3e9 | unknown | unknown |
| |
Click to see the 43 entries |
⊘No Suricata rule has matched
- • AV Detection
- • Networking
- • System Summary
- • Persistence and Installation Behavior
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: | ||
Source: | String containing 'busybox' found: |
Source: | .symtab present: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Classification label: |
Source: | Rm executable: | Jump to behavior | ||
Source: | Rm executable: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: | ||
Source: | User agent string found: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 File Deletion | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 1 Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 1 Application Layer Protocol | Traffic Duplication | Data Destruction |
⊘No configs have been found
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
62% | Virustotal | Browse | ||
67% | ReversingLabs | Linux.Backdoor.DemonBot | ||
100% | Avira | EXP/ELF.Mirai.Z |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
34.249.145.219 | unknown | United States | 16509 | AMAZON-02US | false | |
176.65.144.18 | unknown | Germany | 12975 | PALTEL-ASPALTELAutonomousSystemPS | false | |
109.202.202.202 | unknown | Switzerland | 13030 | INIT7CH | false | |
91.189.91.43 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false | |
91.189.91.42 | unknown | United Kingdom | 41231 | CANONICAL-ASGB | false |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
34.249.145.219 | Get hash | malicious | Gafgyt, Mirai | Browse | ||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
176.65.144.18 | Get hash | malicious | Gafgyt, Mirai | Browse | ||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
Get hash | malicious | Gafgyt, Mirai | Browse | |||
109.202.202.202 | Get hash | malicious | Unknown | Browse |
| |
91.189.91.43 | Get hash | malicious | Gafgyt, Mirai | Browse | ||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
91.189.91.42 | Get hash | malicious | Gafgyt, Mirai | Browse | ||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Prometei | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse | |||
Get hash | malicious | Mirai | Browse | |||
Get hash | malicious | Unknown | Browse |
⊘No context
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
PALTEL-ASPALTELAutonomousSystemPS | Get hash | malicious | Gafgyt, Mirai | Browse |
| |
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Gafgyt, Mirai | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Amadey | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
CANONICAL-ASGB | Get hash | malicious | Gafgyt, Mirai | Browse |
| |
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
INIT7CH | Get hash | malicious | Gafgyt, Mirai | Browse |
| |
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
AMAZON-02US | Get hash | malicious | Gafgyt, Mirai | Browse |
| |
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Prometei | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
⊘No context
⊘No context
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.685522313123784 |
TrID: |
|
File name: | FBI.x86.elf |
File size: | 91'212 bytes |
MD5: | ed5d64cc0407dfb432e9216ba6432828 |
SHA1: | 52a92e6851041b6c6c9afb6a1f2844231b8bed27 |
SHA256: | 61346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380 |
SHA512: | 4df111b60981192592572b081f1362e6fc11e9833f469fc4285e3e9d75d6c118a5753a027d8a3747e1c6a873ffc3a1e62872ffd7abc488a02c2bcd1f13e21f59 |
SSDEEP: | 1536:1DbHrBPQsMnbMarLyEeHu7OUvsEyabYB5b2LV2xOqnJ33xZuEgk:ZfzuMarLYu7EEY/2JOJ3BZun |
TLSH: | C3933BDAFA42CEB3D06310F116EA6B218971F9FB1C23D682D7647DB09D111C19A16FAC |
File Content Preview: | .ELF....................d...4....b......4. ...(.....................`K..`K...............P...............m..........Q.td............................U..S.......wO...h........[]...$.............U......= ....t..5....$......$.......u........t....h\........... |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 3 |
Section Header Offset: | 90652 |
Section Header Size: | 40 |
Number of Section Headers: | 14 |
Header String Table Index: | 13 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.init | PROGBITS | 0x8048094 | 0x94 | 0x1c | 0x0 | 0x6 | AX | 0 | 0 | 1 |
.text | PROGBITS | 0x80480b0 | 0xb0 | 0xfdc8 | 0x0 | 0x6 | AX | 0 | 0 | 16 |
.fini | PROGBITS | 0x8057e78 | 0xfe78 | 0x17 | 0x0 | 0x6 | AX | 0 | 0 | 1 |
.rodata | PROGBITS | 0x8057ea0 | 0xfea0 | 0x4cbb | 0x0 | 0x2 | A | 0 | 0 | 32 |
.eh_frame | PROGBITS | 0x805cb5c | 0x14b5c | 0x4 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ctors | PROGBITS | 0x805d000 | 0x15000 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.dtors | PROGBITS | 0x805d008 | 0x15008 | 0x8 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.jcr | PROGBITS | 0x805d010 | 0x15010 | 0x4 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.got.plt | PROGBITS | 0x805d014 | 0x15014 | 0xc | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x805d020 | 0x15020 | 0x3f8 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.bss | NOBITS | 0x805d420 | 0x15418 | 0x6964 | 0x0 | 0x3 | WA | 0 | 0 | 32 |
.comment | PROGBITS | 0x0 | 0x15418 | 0xda4 | 0x0 | 0x0 | 0 | 0 | 1 | |
.shstrtab | STRTAB | 0x0 | 0x161bc | 0x5f | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
LOAD | 0x0 | 0x8048000 | 0x8048000 | 0x14b60 | 0x14b60 | 6.7606 | 0x5 | R E | 0x1000 | .init .text .fini .rodata .eh_frame | |
LOAD | 0x15000 | 0x805d000 | 0x805d000 | 0x418 | 0x6d84 | 3.9310 | 0x6 | RW | 0x1000 | .ctors .dtors .jcr .got.plt .data .bss | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x4 |
Download Network PCAP: filtered – full
- Total Packets: 61
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 2, 2025 08:31:47.666630030 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Apr 2, 2025 08:31:47.922625065 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Apr 2, 2025 08:31:49.096189976 CEST | 36256 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:31:49.297828913 CEST | 1337 | 36256 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:31:51.113598108 CEST | 36258 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:31:51.319613934 CEST | 1337 | 36258 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:31:53.510605097 CEST | 39256 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 2, 2025 08:31:53.510721922 CEST | 443 | 39256 | 34.249.145.219 | 192.168.2.23 |
Apr 2, 2025 08:31:53.510823965 CEST | 39256 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 2, 2025 08:31:53.511102915 CEST | 39256 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 2, 2025 08:31:53.511137009 CEST | 443 | 39256 | 34.249.145.219 | 192.168.2.23 |
Apr 2, 2025 08:31:53.553947926 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Apr 2, 2025 08:31:54.298983097 CEST | 36262 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:31:54.503648043 CEST | 1337 | 36262 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:31:56.323582888 CEST | 36264 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:31:56.528198957 CEST | 1337 | 36264 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:31:59.504486084 CEST | 36266 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:31:59.709423065 CEST | 1337 | 36266 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:01.529393911 CEST | 36268 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:01.745800972 CEST | 1337 | 36268 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:04.710405111 CEST | 36270 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:04.917007923 CEST | 1337 | 36270 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:06.747378111 CEST | 36272 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:06.954679012 CEST | 1337 | 36272 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:09.423804045 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Apr 2, 2025 08:32:09.918167114 CEST | 36274 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:10.123676062 CEST | 1337 | 36274 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:11.955961943 CEST | 36276 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:12.162849903 CEST | 1337 | 36276 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:15.125392914 CEST | 36278 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:15.327469110 CEST | 1337 | 36278 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:17.164294958 CEST | 36280 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:17.365528107 CEST | 1337 | 36280 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:17.614612103 CEST | 42516 | 80 | 192.168.2.23 | 109.202.202.202 |
Apr 2, 2025 08:32:19.662378073 CEST | 42836 | 443 | 192.168.2.23 | 91.189.91.43 |
Apr 2, 2025 08:32:20.329634905 CEST | 36282 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:20.532087088 CEST | 1337 | 36282 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:22.367228031 CEST | 36284 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:22.570815086 CEST | 1337 | 36284 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:25.533946991 CEST | 36286 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:25.736351013 CEST | 1337 | 36286 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:27.572367907 CEST | 36288 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:27.773214102 CEST | 1337 | 36288 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:30.738675117 CEST | 36290 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:30.944211960 CEST | 1337 | 36290 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:32.775500059 CEST | 36292 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:32.981764078 CEST | 1337 | 36292 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:35.946055889 CEST | 36294 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:36.149622917 CEST | 1337 | 36294 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:37.983445883 CEST | 36296 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:38.189640999 CEST | 1337 | 36296 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:41.151174068 CEST | 36298 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:41.354495049 CEST | 1337 | 36298 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:43.191394091 CEST | 36300 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:43.402610064 CEST | 1337 | 36300 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:46.356292963 CEST | 36302 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:46.559115887 CEST | 1337 | 36302 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:48.405056953 CEST | 36304 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:48.607471943 CEST | 1337 | 36304 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:50.378413916 CEST | 43928 | 443 | 192.168.2.23 | 91.189.91.42 |
Apr 2, 2025 08:32:51.560830116 CEST | 36306 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:51.764058113 CEST | 1337 | 36306 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:53.503412008 CEST | 39256 | 443 | 192.168.2.23 | 34.249.145.219 |
Apr 2, 2025 08:32:53.544267893 CEST | 443 | 39256 | 34.249.145.219 | 192.168.2.23 |
Apr 2, 2025 08:32:53.609960079 CEST | 36308 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:53.811036110 CEST | 1337 | 36308 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:56.766016006 CEST | 36310 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:56.968138933 CEST | 1337 | 36310 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:32:58.815134048 CEST | 36312 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:32:59.017394066 CEST | 1337 | 36312 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:01.972589970 CEST | 36314 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:02.177134037 CEST | 1337 | 36314 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:04.019793034 CEST | 36316 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:04.222389936 CEST | 1337 | 36316 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:07.180712938 CEST | 36318 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:07.382389069 CEST | 1337 | 36318 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:09.225073099 CEST | 36320 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:09.435277939 CEST | 1337 | 36320 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:12.384587049 CEST | 36322 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:12.587646961 CEST | 1337 | 36322 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:14.437613964 CEST | 36324 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:14.638003111 CEST | 1337 | 36324 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:17.589859962 CEST | 36326 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:17.793108940 CEST | 1337 | 36326 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:19.642249107 CEST | 36328 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:19.846318007 CEST | 1337 | 36328 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:22.795305967 CEST | 36330 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:22.997761965 CEST | 1337 | 36330 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:24.848990917 CEST | 36332 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:25.053323984 CEST | 1337 | 36332 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:28.001502991 CEST | 36334 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:28.210764885 CEST | 1337 | 36334 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:30.058495045 CEST | 36336 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:30.265396118 CEST | 1337 | 36336 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:33.212599039 CEST | 36338 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:33.413554907 CEST | 1337 | 36338 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:35.268388033 CEST | 36340 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:35.470585108 CEST | 1337 | 36340 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:38.415153027 CEST | 36342 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:38.617913961 CEST | 1337 | 36342 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:40.472387075 CEST | 36344 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:40.684490919 CEST | 1337 | 36344 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:43.620069981 CEST | 36346 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:43.823113918 CEST | 1337 | 36346 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:45.686619997 CEST | 36348 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:45.891844034 CEST | 1337 | 36348 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:48.825786114 CEST | 36350 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:49.028342962 CEST | 1337 | 36350 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:50.897509098 CEST | 36352 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:51.099586964 CEST | 1337 | 36352 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:54.031064034 CEST | 36354 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:54.235212088 CEST | 1337 | 36354 | 176.65.144.18 | 192.168.2.23 |
Apr 2, 2025 08:33:56.101767063 CEST | 36356 | 1337 | 192.168.2.23 | 176.65.144.18 |
Apr 2, 2025 08:33:56.306811094 CEST | 1337 | 36356 | 176.65.144.18 | 192.168.2.23 |
System Behavior
Start time (UTC): | 06:31:48 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | /tmp/FBI.x86.elf |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:48 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:48 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:48 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:48 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:48 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:50 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:31:50 |
Start date (UTC): | 02/04/2025 |
Path: | /tmp/FBI.x86.elf |
Arguments: | - |
File size: | 91212 bytes |
MD5 hash: | ed5d64cc0407dfb432e9216ba6432828 |
Start time (UTC): | 06:32:52 |
Start date (UTC): | 02/04/2025 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 06:32:52 |
Start date (UTC): | 02/04/2025 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQO |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |
Start time (UTC): | 06:32:52 |
Start date (UTC): | 02/04/2025 |
Path: | /usr/bin/dash |
Arguments: | - |
File size: | 129816 bytes |
MD5 hash: | 1e6b1c887c59a315edb7eb9a315fc84c |
Start time (UTC): | 06:32:52 |
Start date (UTC): | 02/04/2025 |
Path: | /usr/bin/rm |
Arguments: | rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQO |
File size: | 72056 bytes |
MD5 hash: | aa2b5496fdbfd88e38791ab81f90b95b |