Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
FBI.x86.elf

Overview

General Information

Sample name:FBI.x86.elf
Analysis ID:1654268
MD5:ed5d64cc0407dfb432e9216ba6432828
SHA1:52a92e6851041b6c6c9afb6a1f2844231b8bed27
SHA256:61346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654268
Start date and time:2025-04-02 08:30:44 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FBI.x86.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@0/0

Runtime Messages

Command:/tmp/FBI.x86.elf
PID:6258
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 6341, Parent: 4331)
  • rm (PID: 6341, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQO
  • dash New Fork (PID: 6342, Parent: 4331)
  • rm (PID: 6342, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQO
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
FBI.x86.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    FBI.x86.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      FBI.x86.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x11928:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1193c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11950:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11964:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11978:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1198c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      FBI.x86.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x118da:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
      FBI.x86.elfLinux_Trojan_Mirai_389ee3e9unknownunknown
      • 0xbc50:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6258.1.0000000008048000.000000000805d000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        6258.1.0000000008048000.000000000805d000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6258.1.0000000008048000.000000000805d000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x11928:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1193c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11950:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11964:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11978:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1198c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11a90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11aa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11ab8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          6258.1.0000000008048000.000000000805d000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0x118da:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          6258.1.0000000008048000.000000000805d000.r-x.sdmpLinux_Trojan_Mirai_389ee3e9unknownunknown
          • 0xbc50:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
          Click to see the 43 entries

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          • AV Detection
          • Networking
          • System Summary
          • Persistence and Installation Behavior
          • Stealing of Sensitive Information
          • Remote Access Functionality

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: FBI.x86.elfAvira: detected
          Source: FBI.x86.elfVirustotal: Detection: 62%Perma Link
          Source: FBI.x86.elfReversingLabs: Detection: 66%
          Source: global trafficTCP traffic: 192.168.2.23:36256 -> 176.65.144.18:1337
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
          Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
          Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
          Source: FBI.x86.elfString found in binary or memory: http://fast.no/support/crawler.asp)
          Source: FBI.x86.elfString found in binary or memory: http://feedback.redkolibri.com/
          Source: FBI.x86.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
          Source: FBI.x86.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
          Source: FBI.x86.elfString found in binary or memory: http://www.billybobbot.com/crawler/)
          Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 39256
          Source: unknownNetwork traffic detected: HTTP traffic on port 39256 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

          System Summary

          barindex
          Source: FBI.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: FBI.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: FBI.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6258, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6258, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6259, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6259, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6262, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6262, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6264, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6264, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6285, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6285, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6286, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Process Memory Space: FBI.x86.elf PID: 6286, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
          Source: Initial sampleString containing 'busybox' found: busybox
          Source: Initial sampleString containing 'busybox' found: BusyBox
          Source: Initial sampleString containing 'busybox' found: 20+!g}]/proc/self/maps/proc//root//tmp//var/run/mnt/BinsccountoginnterhraseordshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: FBI.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: FBI.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: FBI.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: Process Memory Space: FBI.x86.elf PID: 6258, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6258, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6259, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6259, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6262, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6262, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6264, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6264, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6285, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6285, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6286, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Process Memory Space: FBI.x86.elf PID: 6286, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
          Source: classification engineClassification label: mal80.troj.linELF@0/0@0/0
          Source: /usr/bin/dash (PID: 6341)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQOJump to behavior
          Source: /usr/bin/dash (PID: 6342)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQOJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: FBI.x86.elf, type: SAMPLE
          Source: Yara matchFile source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: FBI.x86.elf, type: SAMPLE
          Source: Yara matchFile source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6258, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6259, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6262, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6264, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6285, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6286, type: MEMORYSTR
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
          Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
          Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
          Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
          Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: FBI.x86.elf, type: SAMPLE
          Source: Yara matchFile source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: FBI.x86.elf, type: SAMPLE
          Source: Yara matchFile source: 6258.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6259.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6262.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6285.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6264.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: 6286.1.0000000008048000.000000000805d000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6258, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6259, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6262, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6264, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6285, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: FBI.x86.elf PID: 6286, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
          File Deletion          		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
          Data Obfuscation          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction

          Malware Configuration

          No configs have been found

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654268 Sample: FBI.x86.elf Startdate: 02/04/2025 Architecture: LINUX Score: 80 30 176.65.144.18, 1337, 36256, 36258 PALTEL-ASPALTELAutonomousSystemPS Germany 2->30 32 109.202.202.202, 80 INIT7CH Switzerland 2->32 34 3 other IPs or domains 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 2 other signatures 2->42 10 FBI.x86.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 FBI.x86.elf 10->16         started        18 FBI.x86.elf 10->18         started        process6 20 FBI.x86.elf 16->20         started        22 FBI.x86.elf 16->22         started        process7 24 FBI.x86.elf 20->24         started        26 FBI.x86.elf 22->26         started        process8 28 FBI.x86.elf 24->28         started       

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          FBI.x86.elf62%VirustotalBrowse
          FBI.x86.elf67%ReversingLabsLinux.Backdoor.DemonBot
          FBI.x86.elf100%AviraEXP/ELF.Mirai.Z

          Dropped Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Download Network PCAP: filteredfull

          Contacted Domains

          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://www.baidu.com/search/spider.html)FBI.x86.elffalse
            		high
            http://www.billybobbot.com/crawler/)FBI.x86.elffalse
              		high
              http://fast.no/support/crawler.asp)FBI.x86.elffalse
                		high
                http://feedback.redkolibri.com/FBI.x86.elffalse
                  		high
                  http://www.baidu.com/search/spider.htm)FBI.x86.elffalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.249.145.219
                    		unknownUnited States
                    		16509AMAZON-02USfalse
                    176.65.144.18
                    		unknownGermany
                    		12975PALTEL-ASPALTELAutonomousSystemPSfalse
                    109.202.202.202
                    		unknownSwitzerland
                    		13030INIT7CHfalse
                    91.189.91.43
                    		unknownUnited Kingdom
                    		41231CANONICAL-ASGBfalse
                    91.189.91.42
                    		unknownUnited Kingdom
                    		41231CANONICAL-ASGBfalse

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    34.249.145.219FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          efefa7.elfGet hashmaliciousMiraiBrowse
                            sh4.elfGet hashmaliciousUnknownBrowse
                              arm5.elfGet hashmaliciousUnknownBrowse
                                na.elfGet hashmaliciousPrometeiBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    na.elfGet hashmaliciousPrometeiBrowse
                                      na.elfGet hashmaliciousPrometeiBrowse
                                        176.65.144.18FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                          FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                                                • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                                                91.189.91.43FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        arm5.elfGet hashmaliciousUnknownBrowse
                                                          rjfe686.elfGet hashmaliciousUnknownBrowse
                                                            aarch64.elfGet hashmaliciousMiraiBrowse
                                                              sh4.elfGet hashmaliciousUnknownBrowse
                                                                efefa7.elfGet hashmaliciousMiraiBrowse
                                                                  mips.elfGet hashmaliciousUnknownBrowse
                                                                    91.189.91.42FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                                            arm5.elfGet hashmaliciousUnknownBrowse
                                                                              rjfe686.elfGet hashmaliciousUnknownBrowse
                                                                                aarch64.elfGet hashmaliciousMiraiBrowse
                                                                                  sh4.elfGet hashmaliciousUnknownBrowse
                                                                                    efefa7.elfGet hashmaliciousMiraiBrowse
                                                                                      mips.elfGet hashmaliciousUnknownBrowse

                                                                                        Domains

                                                                                        No context

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        PALTEL-ASPALTELAutonomousSystemPSFBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 176.65.144.18
                                                                                        FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 176.65.144.18
                                                                                        FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 176.65.144.18
                                                                                        FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 176.65.144.18
                                                                                        clip64.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 176.65.137.193
                                                                                        clip64.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 176.65.137.193
                                                                                        cred64.dll.dllGet hashmaliciousAmadeyBrowse
                                                                                        • 176.65.137.193
                                                                                        gLLOqKC.exeGet hashmaliciousAmadeyBrowse
                                                                                        • 176.65.137.193
                                                                                        boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                        • 176.65.137.13
                                                                                        boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                        • 176.65.137.13
                                                                                        CANONICAL-ASGBFBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 91.189.91.42
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 91.189.91.42
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 91.189.91.42
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 91.189.91.42
                                                                                        arm5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 91.189.91.42
                                                                                        rjfe686.elfGet hashmaliciousUnknownBrowse
                                                                                        • 91.189.91.42
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 185.125.190.26
                                                                                        aarch64.elfGet hashmaliciousMiraiBrowse
                                                                                        • 91.189.91.42
                                                                                        vejfa5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 185.125.190.26
                                                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                                                        • 91.189.91.42
                                                                                        INIT7CHFBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 109.202.202.202
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 109.202.202.202
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 109.202.202.202
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 109.202.202.202
                                                                                        arm5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 109.202.202.202
                                                                                        rjfe686.elfGet hashmaliciousUnknownBrowse
                                                                                        • 109.202.202.202
                                                                                        aarch64.elfGet hashmaliciousMiraiBrowse
                                                                                        • 109.202.202.202
                                                                                        sh4.elfGet hashmaliciousUnknownBrowse
                                                                                        • 109.202.202.202
                                                                                        efefa7.elfGet hashmaliciousMiraiBrowse
                                                                                        • 109.202.202.202
                                                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                                                        • 109.202.202.202
                                                                                        AMAZON-02USFBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                        • 34.249.145.219
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 34.249.145.219
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 34.249.145.219
                                                                                        arm6.elfGet hashmaliciousUnknownBrowse
                                                                                        • 54.247.62.1
                                                                                        full folder details request quotation.exeGet hashmaliciousFormBookBrowse
                                                                                        • 13.248.169.48
                                                                                        na.elfGet hashmaliciousPrometeiBrowse
                                                                                        • 54.247.62.1
                                                                                        Payment Remittance.pdfGet hashmaliciousUnknownBrowse
                                                                                        • 3.168.73.96
                                                                                        OC-8563 PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                                        • 13.248.169.48
                                                                                        SHIPPING DOCUMENT.exeGet hashmaliciousFormBookBrowse
                                                                                        • 13.248.169.48
                                                                                        vejfa5.elfGet hashmaliciousUnknownBrowse
                                                                                        • 34.243.160.129

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        No created / dropped files found

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                                                                                        Entropy (8bit):6.685522313123784
                                                                                        TrID:
                                                                                        • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                                        • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                                        File name:FBI.x86.elf
                                                                                        File size:91'212 bytes
                                                                                        MD5:ed5d64cc0407dfb432e9216ba6432828
                                                                                        SHA1:52a92e6851041b6c6c9afb6a1f2844231b8bed27
                                                                                        SHA256:61346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380
                                                                                        SHA512:4df111b60981192592572b081f1362e6fc11e9833f469fc4285e3e9d75d6c118a5753a027d8a3747e1c6a873ffc3a1e62872ffd7abc488a02c2bcd1f13e21f59
                                                                                        SSDEEP:1536:1DbHrBPQsMnbMarLyEeHu7OUvsEyabYB5b2LV2xOqnJ33xZuEgk:ZfzuMarLYu7EEY/2JOJ3BZun
                                                                                        TLSH:C3933BDAFA42CEB3D06310F116EA6B218971F9FB1C23D682D7647DB09D111C19A16FAC
                                                                                        File Content Preview:.ELF....................d...4....b......4. ...(.....................`K..`K...............P...............m..........Q.td............................U..S.......wO...h........[]...$.............U......= ....t..5....$......$.......u........t....h\...........

                                                                                        Static ELF Info

                                                                                        ELF header

                                                                                        Class:ELF32
                                                                                        Data:2's complement, little endian
                                                                                        Version:1 (current)
                                                                                        Machine:Intel 80386
                                                                                        Version Number:0x1
                                                                                        Type:EXEC (Executable file)
                                                                                        OS/ABI:UNIX - System V
                                                                                        ABI Version:0
                                                                                        Entry Point Address:0x8048164
                                                                                        Flags:0x0
                                                                                        ELF Header Size:52
                                                                                        Program Header Offset:52
                                                                                        Program Header Size:32
                                                                                        Number of Program Headers:3
                                                                                        Section Header Offset:90652
                                                                                        Section Header Size:40
                                                                                        Number of Section Headers:14
                                                                                        Header String Table Index:13

                                                                                        Sections

                                                                                        NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                                                                        NULL0x00x00x00x00x0000
                                                                                        .initPROGBITS0x80480940x940x1c0x00x6AX001
                                                                                        .textPROGBITS0x80480b00xb00xfdc80x00x6AX0016
                                                                                        .finiPROGBITS0x8057e780xfe780x170x00x6AX001
                                                                                        .rodataPROGBITS0x8057ea00xfea00x4cbb0x00x2A0032
                                                                                        .eh_framePROGBITS0x805cb5c0x14b5c0x40x00x2A004
                                                                                        .ctorsPROGBITS0x805d0000x150000x80x00x3WA004
                                                                                        .dtorsPROGBITS0x805d0080x150080x80x00x3WA004
                                                                                        .jcrPROGBITS0x805d0100x150100x40x00x3WA004
                                                                                        .got.pltPROGBITS0x805d0140x150140xc0x40x3WA004
                                                                                        .dataPROGBITS0x805d0200x150200x3f80x00x3WA0032
                                                                                        .bssNOBITS0x805d4200x154180x69640x00x3WA0032
                                                                                        .commentPROGBITS0x00x154180xda40x00x0001
                                                                                        .shstrtabSTRTAB0x00x161bc0x5f0x00x0001

                                                                                        Program Segments

                                                                                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                        LOAD0x00x80480000x80480000x14b600x14b606.76060x5R E0x1000.init .text .fini .rodata .eh_frame
                                                                                        LOAD0x150000x805d0000x805d0000x4180x6d843.93100x6RW 0x1000.ctors .dtors .jcr .got.plt .data .bss
                                                                                        GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                                                        Network Behavior

                                                                                        Download Network PCAP: filteredfull

                                                                                        Network Port Distribution

                                                                                        • Total Packets: 61
                                                                                        • 1337 undefined
                                                                                        • 443 (HTTPS)
                                                                                        • 80 (HTTP)
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Apr 2, 2025 08:31:47.666630030 CEST4251680192.168.2.23109.202.202.202
                                                                                        Apr 2, 2025 08:31:47.922625065 CEST43928443192.168.2.2391.189.91.42
                                                                                        Apr 2, 2025 08:31:49.096189976 CEST362561337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:31:49.297828913 CEST133736256176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:31:51.113598108 CEST362581337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:31:51.319613934 CEST133736258176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:31:53.510605097 CEST39256443192.168.2.2334.249.145.219
                                                                                        Apr 2, 2025 08:31:53.510721922 CEST4433925634.249.145.219192.168.2.23
                                                                                        Apr 2, 2025 08:31:53.510823965 CEST39256443192.168.2.2334.249.145.219
                                                                                        Apr 2, 2025 08:31:53.511102915 CEST39256443192.168.2.2334.249.145.219
                                                                                        Apr 2, 2025 08:31:53.511137009 CEST4433925634.249.145.219192.168.2.23
                                                                                        Apr 2, 2025 08:31:53.553947926 CEST42836443192.168.2.2391.189.91.43
                                                                                        Apr 2, 2025 08:31:54.298983097 CEST362621337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:31:54.503648043 CEST133736262176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:31:56.323582888 CEST362641337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:31:56.528198957 CEST133736264176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:31:59.504486084 CEST362661337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:31:59.709423065 CEST133736266176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:01.529393911 CEST362681337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:01.745800972 CEST133736268176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:04.710405111 CEST362701337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:04.917007923 CEST133736270176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:06.747378111 CEST362721337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:06.954679012 CEST133736272176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:09.423804045 CEST43928443192.168.2.2391.189.91.42
                                                                                        Apr 2, 2025 08:32:09.918167114 CEST362741337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:10.123676062 CEST133736274176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:11.955961943 CEST362761337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:12.162849903 CEST133736276176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:15.125392914 CEST362781337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:15.327469110 CEST133736278176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:17.164294958 CEST362801337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:17.365528107 CEST133736280176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:17.614612103 CEST4251680192.168.2.23109.202.202.202
                                                                                        Apr 2, 2025 08:32:19.662378073 CEST42836443192.168.2.2391.189.91.43
                                                                                        Apr 2, 2025 08:32:20.329634905 CEST362821337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:20.532087088 CEST133736282176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:22.367228031 CEST362841337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:22.570815086 CEST133736284176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:25.533946991 CEST362861337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:25.736351013 CEST133736286176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:27.572367907 CEST362881337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:27.773214102 CEST133736288176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:30.738675117 CEST362901337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:30.944211960 CEST133736290176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:32.775500059 CEST362921337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:32.981764078 CEST133736292176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:35.946055889 CEST362941337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:36.149622917 CEST133736294176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:37.983445883 CEST362961337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:38.189640999 CEST133736296176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:41.151174068 CEST362981337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:41.354495049 CEST133736298176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:43.191394091 CEST363001337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:43.402610064 CEST133736300176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:46.356292963 CEST363021337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:46.559115887 CEST133736302176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:48.405056953 CEST363041337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:48.607471943 CEST133736304176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:50.378413916 CEST43928443192.168.2.2391.189.91.42
                                                                                        Apr 2, 2025 08:32:51.560830116 CEST363061337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:51.764058113 CEST133736306176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:53.503412008 CEST39256443192.168.2.2334.249.145.219
                                                                                        Apr 2, 2025 08:32:53.544267893 CEST4433925634.249.145.219192.168.2.23
                                                                                        Apr 2, 2025 08:32:53.609960079 CEST363081337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:53.811036110 CEST133736308176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:56.766016006 CEST363101337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:56.968138933 CEST133736310176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:32:58.815134048 CEST363121337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:32:59.017394066 CEST133736312176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:01.972589970 CEST363141337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:02.177134037 CEST133736314176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:04.019793034 CEST363161337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:04.222389936 CEST133736316176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:07.180712938 CEST363181337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:07.382389069 CEST133736318176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:09.225073099 CEST363201337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:09.435277939 CEST133736320176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:12.384587049 CEST363221337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:12.587646961 CEST133736322176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:14.437613964 CEST363241337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:14.638003111 CEST133736324176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:17.589859962 CEST363261337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:17.793108940 CEST133736326176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:19.642249107 CEST363281337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:19.846318007 CEST133736328176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:22.795305967 CEST363301337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:22.997761965 CEST133736330176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:24.848990917 CEST363321337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:25.053323984 CEST133736332176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:28.001502991 CEST363341337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:28.210764885 CEST133736334176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:30.058495045 CEST363361337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:30.265396118 CEST133736336176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:33.212599039 CEST363381337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:33.413554907 CEST133736338176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:35.268388033 CEST363401337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:35.470585108 CEST133736340176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:38.415153027 CEST363421337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:38.617913961 CEST133736342176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:40.472387075 CEST363441337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:40.684490919 CEST133736344176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:43.620069981 CEST363461337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:43.823113918 CEST133736346176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:45.686619997 CEST363481337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:45.891844034 CEST133736348176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:48.825786114 CEST363501337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:49.028342962 CEST133736350176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:50.897509098 CEST363521337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:51.099586964 CEST133736352176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:54.031064034 CEST363541337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:54.235212088 CEST133736354176.65.144.18192.168.2.23
                                                                                        Apr 2, 2025 08:33:56.101767063 CEST363561337192.168.2.23176.65.144.18
                                                                                        Apr 2, 2025 08:33:56.306811094 CEST133736356176.65.144.18192.168.2.23

                                                                                        System Behavior

                                                                                        General

                                                                                        Start time (UTC):06:31:48
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:/tmp/FBI.x86.elf
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        File Activities

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:31:48
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        General

                                                                                        Start time (UTC):06:31:48
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        File Activities

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:31:48
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        File Activities

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:31:48
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:31:48
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        General

                                                                                        Start time (UTC):06:31:50
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:31:50
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/tmp/FBI.x86.elf
                                                                                        Arguments:-
                                                                                        File size:91212 bytes
                                                                                        MD5 hash:ed5d64cc0407dfb432e9216ba6432828

                                                                                        General

                                                                                        Start time (UTC):06:32:52
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/usr/bin/dash
                                                                                        Arguments:-
                                                                                        File size:129816 bytes
                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:32:52
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/usr/bin/rm
                                                                                        Arguments:rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQO
                                                                                        File size:72056 bytes
                                                                                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                                        File Activities


                                                                                        General

                                                                                        Start time (UTC):06:32:52
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/usr/bin/dash
                                                                                        Arguments:-
                                                                                        File size:129816 bytes
                                                                                        MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                                                                        Process Activities


                                                                                        General

                                                                                        Start time (UTC):06:32:52
                                                                                        Start date (UTC):02/04/2025
                                                                                        Path:/usr/bin/rm
                                                                                        Arguments:rm -f /tmp/tmp.02NQZLfgYz /tmp/tmp.jEY9rauW4e /tmp/tmp.hJKAvkTjQO
                                                                                        File size:72056 bytes
                                                                                        MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                                                                                        File Activities