Edit tour

Linux Analysis Report
FBI.sh4.elf

Overview

General Information

Sample name:FBI.sh4.elf
Analysis ID:1654269
MD5:62625d3e68c200b3318e509d14f9071f
SHA1:69696ee4632756ac26a7674421adac757de4a6e0
SHA256:217d27019c13c2fa69d6638ad56c345a30dee26a77a3760775dbaa6c4dace15d
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654269
Start date and time:2025-04-02 08:30:46 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FBI.sh4.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0
Command:/tmp/FBI.sh4.elf
PID:5574
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
FBI.sh4.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    FBI.sh4.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      FBI.sh4.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x123d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x123ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1243c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1248c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x124a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x124b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x124c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x124dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x124f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1252c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12540:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12554:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      FBI.sh4.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x12388:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
      SourceRuleDescriptionAuthorStrings
      5574.1.00007f3894400000.00007f3894416000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        5574.1.00007f3894400000.00007f3894416000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5574.1.00007f3894400000.00007f3894416000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x123d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x123ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1243c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1248c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x124a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x124b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x124c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x124dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x124f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1252c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12540:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12554:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x12568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5574.1.00007f3894400000.00007f3894416000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0x12388:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          Process Memory Space: FBI.sh4.elf PID: 5574JoeSecurity_Mirai_8Yara detected MiraiJoe Security
            Click to see the 2 entries
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: FBI.sh4.elfAvira: detected
            Source: FBI.sh4.elfVirustotal: Detection: 61%Perma Link
            Source: FBI.sh4.elfReversingLabs: Detection: 61%
            Source: global trafficTCP traffic: 192.168.2.14:52950 -> 176.65.144.18:1337
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: FBI.sh4.elfString found in binary or memory: http://fast.no/support/crawler.asp)
            Source: FBI.sh4.elfString found in binary or memory: http://feedback.redkolibri.com/
            Source: FBI.sh4.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
            Source: FBI.sh4.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
            Source: FBI.sh4.elfString found in binary or memory: http://www.billybobbot.com/crawler/)

            System Summary

            barindex
            Source: FBI.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: FBI.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.sh4.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.sh4.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Initial sampleString containing 'busybox' found: busybox
            Source: Initial sampleString containing 'busybox' found: BusyBox
            Source: Initial sampleString containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: FBI.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: FBI.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.sh4.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.sh4.elf PID: 5574, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: /tmp/FBI.sh4.elf (PID: 5574)Queries kernel information via 'uname': Jump to behavior
            Source: FBI.sh4.elf, 5574.1.00007ffebcb92000.00007ffebcbb3000.rw-.sdmpBinary or memory string: 9x86_64/usr/bin/qemu-sh4/tmp/FBI.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.sh4.elf
            Source: FBI.sh4.elf, 5574.1.00007ffebcb92000.00007ffebcbb3000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
            Source: FBI.sh4.elf, 5574.1.000055a44e231000.000055a44e294000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
            Source: FBI.sh4.elf, 5574.1.000055a44e231000.000055a44e294000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: FBI.sh4.elf, type: SAMPLE
            Source: Yara matchFile source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.sh4.elf, type: SAMPLE
            Source: Yara matchFile source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.sh4.elf PID: 5574, type: MEMORYSTR
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
            Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
            Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: FBI.sh4.elf, type: SAMPLE
            Source: Yara matchFile source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.sh4.elf, type: SAMPLE
            Source: Yara matchFile source: 5574.1.00007f3894400000.00007f3894416000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.sh4.elf PID: 5574, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Data Obfuscation
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Application Layer Protocol
            Traffic DuplicationData Destruction
            No configs have been found
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654269 Sample: FBI.sh4.elf Startdate: 02/04/2025 Architecture: LINUX Score: 80 26 176.65.144.18, 1337, 52950, 52952 PALTEL-ASPALTELAutonomousSystemPS Germany 2->26 28 daisy.ubuntu.com 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 10 FBI.sh4.elf 2->10         started        signatures3 process4 process5 12 FBI.sh4.elf 10->12         started        14 FBI.sh4.elf 10->14         started        process6 16 FBI.sh4.elf 12->16         started        18 FBI.sh4.elf 12->18         started        process7 20 FBI.sh4.elf 16->20         started        22 FBI.sh4.elf 18->22         started        process8 24 FBI.sh4.elf 20->24         started       

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            FBI.sh4.elf62%VirustotalBrowse
            FBI.sh4.elf61%ReversingLabsLinux.Backdoor.DemonBot
            FBI.sh4.elf100%AviraEXP/ELF.Mirai.Z
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            162.213.35.24
            truefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.baidu.com/search/spider.html)FBI.sh4.elffalse
                high
                http://www.billybobbot.com/crawler/)FBI.sh4.elffalse
                  high
                  http://fast.no/support/crawler.asp)FBI.sh4.elffalse
                    high
                    http://feedback.redkolibri.com/FBI.sh4.elffalse
                      high
                      http://www.baidu.com/search/spider.htm)FBI.sh4.elffalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        176.65.144.18
                        unknownGermany
                        12975PALTEL-ASPALTELAutonomousSystemPSfalse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        176.65.144.18FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                          FBI.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                            FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                              FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    daisy.ubuntu.comFBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 162.213.35.25
                                    FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 162.213.35.24
                                    FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 162.213.35.24
                                    mpsl.elfGet hashmaliciousUnknownBrowse
                                    • 162.213.35.25
                                    arm6.elfGet hashmaliciousUnknownBrowse
                                    • 162.213.35.25
                                    rjfe686.elfGet hashmaliciousUnknownBrowse
                                    • 162.213.35.25
                                    arm.elfGet hashmaliciousMiraiBrowse
                                    • 162.213.35.25
                                    efefa7.elfGet hashmaliciousMiraiBrowse
                                    • 162.213.35.24
                                    arm7.elfGet hashmaliciousMiraiBrowse
                                    • 162.213.35.24
                                    weje64.elfGet hashmaliciousUnknownBrowse
                                    • 162.213.35.25
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    PALTEL-ASPALTELAutonomousSystemPSFBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 176.65.144.18
                                    FBI.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 176.65.144.18
                                    FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 176.65.144.18
                                    FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 176.65.144.18
                                    FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 176.65.144.18
                                    FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 176.65.144.18
                                    clip64.dllGet hashmaliciousAmadeyBrowse
                                    • 176.65.137.193
                                    clip64.dllGet hashmaliciousAmadeyBrowse
                                    • 176.65.137.193
                                    cred64.dll.dllGet hashmaliciousAmadeyBrowse
                                    • 176.65.137.193
                                    gLLOqKC.exeGet hashmaliciousAmadeyBrowse
                                    • 176.65.137.193
                                    No context
                                    No context
                                    No created / dropped files found
                                    File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                                    Entropy (8bit):6.919651649179532
                                    TrID:
                                    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                    File name:FBI.sh4.elf
                                    File size:92'164 bytes
                                    MD5:62625d3e68c200b3318e509d14f9071f
                                    SHA1:69696ee4632756ac26a7674421adac757de4a6e0
                                    SHA256:217d27019c13c2fa69d6638ad56c345a30dee26a77a3760775dbaa6c4dace15d
                                    SHA512:8145a899431101020fe19b853595bbd757bcc70e1c391a16039d900d7b204be45b78679359af3e71d457df73df4016309dc50053ad951655f665f389db3539b8
                                    SSDEEP:1536:ZUZLXqLF9XxrwKYdo6nZz2ak0+Cvuy0/+ym5hV1qqpMm:MLqZ9XxrXYdz2ak0+/yIm5hjqqpM
                                    TLSH:11933923ED125F0AD20BA4F061F59F351F22B8FA89975AD9E065DAE06543CCAB015FF0
                                    File Content Preview:.ELF..............*.......@.4....e......4. ...(...............@...@.4S..4S..............4S..4SB.4SB......j..........Q.td............................././"O.n........#.*@........#.*@,....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

                                    ELF header

                                    Class:ELF32
                                    Data:2's complement, little endian
                                    Version:1 (current)
                                    Machine:<unknown>
                                    Version Number:0x1
                                    Type:EXEC (Executable file)
                                    OS/ABI:UNIX - System V
                                    ABI Version:0
                                    Entry Point Address:0x4001a0
                                    Flags:0x9
                                    ELF Header Size:52
                                    Program Header Offset:52
                                    Program Header Size:32
                                    Number of Program Headers:3
                                    Section Header Offset:91644
                                    Section Header Size:40
                                    Number of Section Headers:13
                                    Header String Table Index:12
                                    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                    NULL0x00x00x00x00x0000
                                    .initPROGBITS0x4000940x940x300x00x6AX004
                                    .textPROGBITS0x4000e00xe00x105400x00x6AX0032
                                    .finiPROGBITS0x4106200x106200x240x00x6AX004
                                    .rodataPROGBITS0x4106440x106440x4cec0x00x2A004
                                    .eh_framePROGBITS0x4153300x153300x40x00x2A004
                                    .ctorsPROGBITS0x4253340x153340x80x00x3WA004
                                    .dtorsPROGBITS0x42533c0x1533c0x80x00x3WA004
                                    .jcrPROGBITS0x4253440x153440x40x00x3WA004
                                    .dataPROGBITS0x4253480x153480x4940x00x3WA004
                                    .bssNOBITS0x4257dc0x157dc0x65f00x00x3WA004
                                    .commentPROGBITS0x00x157dc0xdc80x00x0001
                                    .shstrtabSTRTAB0x00x165a40x560x00x0001
                                    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                    LOAD0x00x4000000x4000000x153340x153346.96080x5R E0x10000.init .text .fini .rodata .eh_frame
                                    LOAD0x153340x4253340x4253340x4a80x6a983.24700x6RW 0x10000.ctors .dtors .jcr .data .bss
                                    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                    Download Network PCAP: filteredfull

                                    • Total Packets: 88
                                    • 1337 undefined
                                    • 53 (DNS)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 2, 2025 08:31:51.118983984 CEST529501337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:31:51.325375080 CEST133752950176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:31:53.008629084 CEST529521337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:31:53.210997105 CEST133752952176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:31:56.327475071 CEST529541337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:31:56.531063080 CEST133752954176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:31:58.212599993 CEST529561337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:31:58.417054892 CEST133752956176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:01.532653093 CEST529581337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:01.738275051 CEST133752958176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:03.418787003 CEST529601337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:03.623804092 CEST133752960176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:06.740787029 CEST529621337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:06.947273016 CEST133752962176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:08.626089096 CEST529641337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:08.829901934 CEST133752964176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:11.949393034 CEST529661337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:12.963964939 CEST529661337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:13.179805994 CEST133752966176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:13.831844091 CEST529681337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:14.033272028 CEST133752968176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:18.182118893 CEST529701337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:18.384556055 CEST133752970176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:19.034807920 CEST529721337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:19.237399101 CEST133752972176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:23.387281895 CEST529741337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:23.588545084 CEST133752974176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:24.239758968 CEST529761337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:24.445235968 CEST133752976176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:28.590558052 CEST529781337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:28.798831940 CEST133752978176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:29.447614908 CEST529801337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:29.653911114 CEST133752980176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:33.800770998 CEST529821337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:34.005398035 CEST133752982176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:34.655560970 CEST529841337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:34.863629103 CEST133752984176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:39.007617950 CEST529861337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:39.213314056 CEST133752986176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:39.865642071 CEST529881337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:40.065912008 CEST133752988176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:44.214984894 CEST529901337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:44.416205883 CEST133752990176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:45.067800045 CEST529921337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:45.270813942 CEST133752992176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:49.417814016 CEST529941337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:49.619777918 CEST133752994176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:50.272473097 CEST529961337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:50.477407932 CEST133752996176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:54.621598005 CEST529981337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:54.828206062 CEST133752998176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:55.479038000 CEST530001337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:32:55.682662964 CEST133753000176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:32:59.829933882 CEST530021337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:00.034071922 CEST133753002176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:00.684669018 CEST530041337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:00.884812117 CEST133753004176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:05.035516024 CEST530061337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:05.236155033 CEST133753006176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:05.886372089 CEST530081337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:06.092334986 CEST133753008176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:10.238347054 CEST530101337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:10.442280054 CEST133753010176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:11.094023943 CEST530121337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:11.298805952 CEST133753012176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:15.444124937 CEST530141337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:15.645633936 CEST133753014176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:16.301132917 CEST530161337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:16.502952099 CEST133753016176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:20.648025990 CEST530181337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:20.854159117 CEST133753018176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:21.504616976 CEST530201337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:21.715245962 CEST133753020176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:25.855918884 CEST530221337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:26.060436010 CEST133753022176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:26.717283964 CEST530241337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:26.923651934 CEST133753024176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:31.062366962 CEST530261337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:31.263992071 CEST133753026176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:31.926950932 CEST530281337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:32.136424065 CEST133753028176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:36.266146898 CEST530301337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:36.471508980 CEST133753030176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:37.138031960 CEST530321337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:37.342664957 CEST133753032176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:41.473287106 CEST530341337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:41.681137085 CEST133753034176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:42.344183922 CEST530361337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:42.547065020 CEST133753036176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:46.683073044 CEST530381337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:46.888643026 CEST133753038176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:47.549232006 CEST530401337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:47.753148079 CEST133753040176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:51.891443014 CEST530421337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:52.092446089 CEST133753042176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:52.755243063 CEST530441337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:52.959805965 CEST133753044176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:57.094523907 CEST530461337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:57.300561905 CEST133753046176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:33:57.962402105 CEST530481337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:33:58.166740894 CEST133753048176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:02.302903891 CEST530501337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:02.504781961 CEST133753050176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:03.168896914 CEST530521337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:03.371285915 CEST133753052176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:07.506596088 CEST530541337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:07.706516027 CEST133753054176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:08.373164892 CEST530561337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:08.575829983 CEST133753056176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:12.708024979 CEST530581337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:12.914926052 CEST133753058176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:13.577651978 CEST530601337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:13.782762051 CEST133753060176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:17.916850090 CEST530621337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:18.118119955 CEST133753062176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:18.784735918 CEST530641337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:18.989933968 CEST133753064176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:23.119973898 CEST530661337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:23.323776007 CEST133753066176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:23.991480112 CEST530681337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:24.194494963 CEST133753068176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:28.325597048 CEST530701337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:29.196439981 CEST530721337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:29.339165926 CEST530701337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:29.398245096 CEST133753072176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:29.542020082 CEST133753070176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:34.523123026 CEST530741337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:34.619290113 CEST530761337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:34.726370096 CEST133753074176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:34.824961901 CEST133753076176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:39.729748011 CEST530781337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:39.827279091 CEST530801337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:39.933022976 CEST133753078176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:40.030592918 CEST133753080176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:44.934920073 CEST530821337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:45.031992912 CEST530841337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:45.136378050 CEST133753082176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:45.232754946 CEST133753084176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:50.138407946 CEST530861337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:50.234332085 CEST530881337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:50.339387894 CEST133753086176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:50.436168909 CEST133753088176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:55.341552973 CEST530901337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:55.437931061 CEST530921337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:34:55.544703007 CEST133753090176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:34:55.645869970 CEST133753092176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:00.547100067 CEST530941337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:00.647922039 CEST530961337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:00.752819061 CEST133753094176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:00.854227066 CEST133753096176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:05.754757881 CEST530981337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:05.856282949 CEST531001337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:05.957232952 CEST133753098176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:06.059087992 CEST133753100176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:10.959012032 CEST531021337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:11.060520887 CEST531041337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:11.162398100 CEST133753102176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:11.265635967 CEST133753104176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:16.164746046 CEST531061337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:16.268023968 CEST531081337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:16.374315023 CEST133753106176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:16.471302986 CEST133753108176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:21.376629114 CEST531101337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:21.472821951 CEST531121337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:21.579104900 CEST133753110176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:21.674851894 CEST133753112176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:26.581168890 CEST531141337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:26.676723003 CEST531161337192.168.2.14176.65.144.18
                                    Apr 2, 2025 08:35:26.786746025 CEST133753114176.65.144.18192.168.2.14
                                    Apr 2, 2025 08:35:26.885262012 CEST133753116176.65.144.18192.168.2.14
                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 2, 2025 08:34:33.715200901 CEST4123253192.168.2.148.8.8.8
                                    Apr 2, 2025 08:34:33.715389013 CEST4747253192.168.2.148.8.8.8
                                    Apr 2, 2025 08:34:33.805627108 CEST53412328.8.8.8192.168.2.14
                                    Apr 2, 2025 08:34:33.805691004 CEST53474728.8.8.8192.168.2.14
                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 2, 2025 08:34:33.715200901 CEST192.168.2.148.8.8.80x5f37Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                    Apr 2, 2025 08:34:33.715389013 CEST192.168.2.148.8.8.80xe0b3Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 2, 2025 08:34:33.805627108 CEST8.8.8.8192.168.2.140x5f37No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                    Apr 2, 2025 08:34:33.805627108 CEST8.8.8.8192.168.2.140x5f37No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                    System Behavior

                                    Start time (UTC):06:31:50
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:/tmp/FBI.sh4.elf
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:50
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:50
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:50
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:50
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:50
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:52
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                                    Start time (UTC):06:31:52
                                    Start date (UTC):02/04/2025
                                    Path:/tmp/FBI.sh4.elf
                                    Arguments:-
                                    File size:4139976 bytes
                                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9