Edit tour

Linux Analysis Report
FBI.arm.elf

Overview

General Information

Sample name:FBI.arm.elf
Analysis ID:1654270
MD5:38e7d01da9f3c416ef1a9ca2372bbbcc
SHA1:44e39010e488f490386ebc7361b26c73e3b060fc
SHA256:ac2556daabcf6c82b1fd1ddb6347bce3760f42cd13bf6a1fcc44f0c1b107406b
Tags:elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score:80
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings that are user agent strings indicative of HTTP manipulation
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654270
Start date and time:2025-04-02 08:31:36 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 14s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FBI.arm.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0
Command:/tmp/FBI.arm.elf
PID:5815
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:qemu: uncaught target signal 11 (Segmentation fault) - core dumped
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Bashlite, GafgytBashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
FBI.arm.elfJoeSecurity_GafgytYara detected GafgytJoe Security
    FBI.arm.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      FBI.arm.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x15f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1601c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1606c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x16094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x160a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x160bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x160d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x160e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      FBI.arm.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
      • 0x15f04:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
      SourceRuleDescriptionAuthorStrings
      5817.1.00007f5138017000.00007f5138030000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
        5817.1.00007f5138017000.00007f5138030000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          5817.1.00007f5138017000.00007f5138030000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x15f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x15ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x16008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1601c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x16030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x16044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x16058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1606c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x16080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x16094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x160a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x160bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x160d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x160e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5817.1.00007f5138017000.00007f5138030000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
          • 0x15f04:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
          5815.1.00007f5138017000.00007f5138030000.r-x.sdmpJoeSecurity_GafgytYara detected GafgytJoe Security
            Click to see the 9 entries
            No Suricata rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: FBI.arm.elfAvira: detected
            Source: FBI.arm.elfReversingLabs: Detection: 63%
            Source: FBI.arm.elfVirustotal: Detection: 64%Perma Link
            Source: global trafficTCP traffic: 192.168.2.15:34428 -> 176.65.144.18:1337
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.18
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: FBI.arm.elfString found in binary or memory: http://fast.no/support/crawler.asp)
            Source: FBI.arm.elfString found in binary or memory: http://feedback.redkolibri.com/
            Source: FBI.arm.elfString found in binary or memory: http://www.baidu.com/search/spider.htm)
            Source: FBI.arm.elfString found in binary or memory: http://www.baidu.com/search/spider.html)
            Source: FBI.arm.elfString found in binary or memory: http://www.billybobbot.com/crawler/)

            System Summary

            barindex
            Source: FBI.arm.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: FBI.arm.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm.elf PID: 5815, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm.elf PID: 5815, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Process Memory Space: FBI.arm.elf PID: 5817, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: FBI.arm.elf PID: 5817, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
            Source: Initial sampleString containing 'busybox' found: busybox
            Source: Initial sampleString containing 'busybox' found: BusyBox
            Source: Initial sampleString containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: FBI.arm.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: FBI.arm.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm.elf PID: 5815, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm.elf PID: 5815, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm.elf PID: 5817, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: FBI.arm.elf PID: 5817, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: submitted sampleStderr: qemu: uncaught target signal 11 (Segmentation fault) - core dumped: exit code = 0
            Source: /tmp/FBI.arm.elf (PID: 5815)Queries kernel information via 'uname': Jump to behavior
            Source: FBI.arm.elf, 5815.1.0000558e14084000.0000558e141b2000.rw-.sdmp, FBI.arm.elf, 5817.1.0000558e14084000.0000558e141b2000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: FBI.arm.elf, 5815.1.00007ffe854cf000.00007ffe854f0000.rw-.sdmp, FBI.arm.elf, 5817.1.00007ffe854cf000.00007ffe854f0000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/FBI.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.arm.elf
            Source: FBI.arm.elf, 5815.1.0000558e14084000.0000558e141b2000.rw-.sdmp, FBI.arm.elf, 5817.1.0000558e14084000.0000558e141b2000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: FBI.arm.elf, 5815.1.00007ffe854cf000.00007ffe854f0000.rw-.sdmp, FBI.arm.elf, 5817.1.00007ffe854cf000.00007ffe854f0000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: FBI.arm.elf, 5817.1.00007ffe854cf000.00007ffe854f0000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: FBI.arm.elf, type: SAMPLE
            Source: Yara matchFile source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.arm.elf, type: SAMPLE
            Source: Yara matchFile source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.arm.elf PID: 5815, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm.elf PID: 5817, type: MEMORYSTR
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
            Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
            Source: Initial sampleUser agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
            Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
            Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: FBI.arm.elf, type: SAMPLE
            Source: Yara matchFile source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: FBI.arm.elf, type: SAMPLE
            Source: Yara matchFile source: 5817.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5815.1.00007f5138017000.00007f5138030000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: FBI.arm.elf PID: 5815, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FBI.arm.elf PID: 5817, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery
            Remote ServicesData from Local System1
            Data Obfuscation
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Non-Standard Port
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Application Layer Protocol
            Traffic DuplicationData Destruction
            No configs have been found
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654270 Sample: FBI.arm.elf Startdate: 02/04/2025 Architecture: LINUX Score: 80 26 176.65.144.18, 1337, 34428, 34432 PALTEL-ASPALTELAutonomousSystemPS Germany 2->26 28 daisy.ubuntu.com 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 10 FBI.arm.elf 2->10         started        signatures3 process4 process5 12 FBI.arm.elf 10->12         started        14 FBI.arm.elf 10->14         started        process6 16 FBI.arm.elf 12->16         started        18 FBI.arm.elf 12->18         started        process7 20 FBI.arm.elf 16->20         started        22 FBI.arm.elf 18->22         started        process8 24 FBI.arm.elf 20->24         started       
            SourceDetectionScannerLabelLink
            FBI.arm.elf64%ReversingLabsLinux.Trojan.Gafgyt
            FBI.arm.elf64%VirustotalBrowse
            FBI.arm.elf100%AviraEXP/ELF.Mirai.Z
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            162.213.35.24
            truefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              http://www.baidu.com/search/spider.html)FBI.arm.elffalse
                high
                http://www.billybobbot.com/crawler/)FBI.arm.elffalse
                  high
                  http://fast.no/support/crawler.asp)FBI.arm.elffalse
                    high
                    http://feedback.redkolibri.com/FBI.arm.elffalse
                      high
                      http://www.baidu.com/search/spider.htm)FBI.arm.elffalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        176.65.144.18
                        unknownGermany
                        12975PALTEL-ASPALTELAutonomousSystemPSfalse
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        176.65.144.18FBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                          FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                            FBI.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                              FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      daisy.ubuntu.comFBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 162.213.35.24
                                      FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 162.213.35.25
                                      FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 162.213.35.25
                                      FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 162.213.35.24
                                      FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 162.213.35.24
                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.25
                                      arm6.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.25
                                      rjfe686.elfGet hashmaliciousUnknownBrowse
                                      • 162.213.35.25
                                      arm.elfGet hashmaliciousMiraiBrowse
                                      • 162.213.35.25
                                      efefa7.elfGet hashmaliciousMiraiBrowse
                                      • 162.213.35.24
                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      PALTEL-ASPALTELAutonomousSystemPSFBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      FBI.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                      • 176.65.144.18
                                      clip64.dllGet hashmaliciousAmadeyBrowse
                                      • 176.65.137.193
                                      clip64.dllGet hashmaliciousAmadeyBrowse
                                      • 176.65.137.193
                                      cred64.dll.dllGet hashmaliciousAmadeyBrowse
                                      • 176.65.137.193
                                      No context
                                      No context
                                      No created / dropped files found
                                      File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                                      Entropy (8bit):6.239194606531504
                                      TrID:
                                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                      File name:FBI.arm.elf
                                      File size:107'720 bytes
                                      MD5:38e7d01da9f3c416ef1a9ca2372bbbcc
                                      SHA1:44e39010e488f490386ebc7361b26c73e3b060fc
                                      SHA256:ac2556daabcf6c82b1fd1ddb6347bce3760f42cd13bf6a1fcc44f0c1b107406b
                                      SHA512:5914d7dc906462c0aced329a2d6db7834fe2e9435a548e53c5f0195f3caa1c0fe4fbd2f33d282cef0ead26342f4c650f1371a7a3526d467e27e757625a877cc6
                                      SSDEEP:1536:VFL4kui3i9NwZyEEW47XGF2r4aYBCmerwO0J23+ZbvRdQr19xvT5hOpMXq:VF0cS9SwTGQkameT073AXT5hOpMXq
                                      TLSH:16B33956BD018F53C2C315B3FB9F47887B2667F8D2EF3203D925AFA1278A4D60926950
                                      File Content Preview:.ELF...a..........(.........4...........4. ...(..........................................................j..........Q.td..................................-...L."...1P..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                                      ELF header

                                      Class:ELF32
                                      Data:2's complement, little endian
                                      Version:1 (current)
                                      Machine:ARM
                                      Version Number:0x1
                                      Type:EXEC (Executable file)
                                      OS/ABI:ARM - ABI
                                      ABI Version:0
                                      Entry Point Address:0x8190
                                      Flags:0x202
                                      ELF Header Size:52
                                      Program Header Offset:52
                                      Program Header Size:32
                                      Number of Program Headers:3
                                      Section Header Offset:107200
                                      Section Header Size:40
                                      Number of Section Headers:13
                                      Header String Table Index:12
                                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                      NULL0x00x00x00x00x0000
                                      .initPROGBITS0x80940x940x180x00x6AX004
                                      .textPROGBITS0x80b00xb00x140fc0x00x6AX0016
                                      .finiPROGBITS0x1c1ac0x141ac0x140x00x6AX004
                                      .rodataPROGBITS0x1c1c00x141c00x4cf00x00x2A004
                                      .eh_framePROGBITS0x20eb00x18eb00x40x00x2A004
                                      .ctorsPROGBITS0x290000x190000x80x00x3WA004
                                      .dtorsPROGBITS0x290080x190080x80x00x3WA004
                                      .jcrPROGBITS0x290100x190100x40x00x3WA004
                                      .dataPROGBITS0x290140x190140x49c0x00x3WA004
                                      .bssNOBITS0x294b00x194b00x65f00x00x3WA004
                                      .commentPROGBITS0x00x194b00xdba0x00x0001
                                      .shstrtabSTRTAB0x00x1a26a0x560x00x0001
                                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                      LOAD0x00x80000x80000x18eb40x18eb46.24550x5R E0x8000.init .text .fini .rodata .eh_frame
                                      LOAD0x190000x290000x290000x4b00x6aa03.18090x6RW 0x8000.ctors .dtors .jcr .data .bss
                                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                      Download Network PCAP: filteredfull

                                      • Total Packets: 89
                                      • 1337 undefined
                                      • 53 (DNS)
                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 2, 2025 08:32:38.852857113 CEST344281337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:39.064991951 CEST133734428176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:40.498449087 CEST5576253192.168.2.158.8.8.8
                                      Apr 2, 2025 08:32:40.588604927 CEST53557628.8.8.8192.168.2.15
                                      Apr 2, 2025 08:32:40.588676929 CEST53557628.8.8.8192.168.2.15
                                      Apr 2, 2025 08:32:40.588694096 CEST5576253192.168.2.158.8.8.8
                                      Apr 2, 2025 08:32:40.588721991 CEST5576253192.168.2.158.8.8.8
                                      Apr 2, 2025 08:32:40.588748932 CEST5576253192.168.2.158.8.8.8
                                      Apr 2, 2025 08:32:40.680015087 CEST53557628.8.8.8192.168.2.15
                                      Apr 2, 2025 08:32:40.680083036 CEST53557628.8.8.8192.168.2.15
                                      Apr 2, 2025 08:32:40.680124998 CEST5576253192.168.2.158.8.8.8
                                      Apr 2, 2025 08:32:40.770184994 CEST344321337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:40.973310947 CEST133734432176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:42.682176113 CEST53557628.8.8.8192.168.2.15
                                      Apr 2, 2025 08:32:42.682372093 CEST5576253192.168.2.158.8.8.8
                                      Apr 2, 2025 08:32:42.783582926 CEST53557628.8.8.8192.168.2.15
                                      Apr 2, 2025 08:32:44.068378925 CEST344341337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:44.275574923 CEST133734434176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:45.979135036 CEST344361337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:46.182849884 CEST133734436176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:49.277806997 CEST344381337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:49.480384111 CEST133734438176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:51.185210943 CEST344401337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:51.387818098 CEST133734440176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:54.482661963 CEST344421337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:54.687722921 CEST133734442176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:56.390316963 CEST344441337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:56.598054886 CEST133734444176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:32:59.689517021 CEST344461337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:32:59.891707897 CEST133734446176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:01.599888086 CEST344481337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:01.808832884 CEST133734448176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:04.893317938 CEST344501337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:05.093216896 CEST133734450176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:06.810270071 CEST344521337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:07.013232946 CEST133734452176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:10.094866037 CEST344541337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:10.296174049 CEST133734454176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:12.014997959 CEST344561337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:12.216377020 CEST133734456176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:15.298187971 CEST344581337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:15.503669024 CEST133734458176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:17.218225002 CEST344601337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:17.422861099 CEST133734460176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:20.505944014 CEST344621337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:20.708854914 CEST133734462176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:22.424356937 CEST344641337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:22.625196934 CEST133734464176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:25.710777998 CEST344661337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:25.912867069 CEST133734466176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:27.626806021 CEST344681337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:27.829246044 CEST133734468176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:30.914294004 CEST344701337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:31.117907047 CEST133734470176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:32.830396891 CEST344721337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:33.036128044 CEST133734472176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:36.119132996 CEST344741337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:36.324542999 CEST133734474176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:38.037988901 CEST344761337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:38.240643024 CEST133734476176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:41.326077938 CEST344781337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:41.531812906 CEST133734478176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:43.242438078 CEST344801337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:43.449418068 CEST133734480176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:46.535327911 CEST344821337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:46.737879992 CEST133734482176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:48.450937033 CEST344841337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:48.658195019 CEST133734484176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:51.739780903 CEST344861337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:51.942749023 CEST133734486176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:53.660532951 CEST344881337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:53.864398003 CEST133734488176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:56.944978952 CEST344901337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:57.149499893 CEST133734490176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:33:58.867010117 CEST344921337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:33:59.072036982 CEST133734492176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:02.151621103 CEST344941337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:02.353657961 CEST133734494176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:04.074065924 CEST344961337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:04.276453018 CEST133734496176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:07.355259895 CEST344981337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:07.556030989 CEST133734498176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:09.278568983 CEST345001337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:09.480458021 CEST133734500176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:12.557878971 CEST345021337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:12.763245106 CEST133734502176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:14.482073069 CEST345041337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:14.683975935 CEST133734504176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:17.764785051 CEST345061337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:17.967057943 CEST133734506176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:19.685480118 CEST345081337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:19.888381958 CEST133734508176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:22.968576908 CEST345101337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:23.168915987 CEST133734510176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:24.889942884 CEST345121337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:25.092093945 CEST133734512176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:28.170476913 CEST345141337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:28.372654915 CEST133734514176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:30.093447924 CEST345161337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:30.300231934 CEST133734516176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:33.374505043 CEST345181337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:33.577744961 CEST133734518176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:35.301878929 CEST345201337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:35.505168915 CEST133734520176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:38.579636097 CEST345221337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:38.780731916 CEST133734522176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:40.506408930 CEST345241337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:40.711143970 CEST133734524176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:43.782193899 CEST345261337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:43.985416889 CEST133734526176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:45.712471008 CEST345281337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:45.914906979 CEST133734528176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:48.986901999 CEST345301337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:49.196666956 CEST133734530176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:50.916332006 CEST345321337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:51.116458893 CEST133734532176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:54.198239088 CEST345341337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:54.405253887 CEST133734534176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:56.117769957 CEST345361337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:56.321820021 CEST133734536176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:34:59.407043934 CEST345381337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:34:59.608504057 CEST133734538176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:01.323316097 CEST345401337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:01.526859999 CEST133734540176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:04.610912085 CEST345421337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:04.817806005 CEST133734542176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:06.528702974 CEST345441337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:06.730906963 CEST133734544176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:09.819488049 CEST345461337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:10.020714998 CEST133734546176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:11.732630968 CEST345481337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:11.935262918 CEST133734548176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:15.022363901 CEST345501337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:15.226706982 CEST133734550176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:16.936945915 CEST345521337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:17.144037962 CEST133734552176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:20.228847027 CEST345541337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:20.432614088 CEST133734554176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:22.145581961 CEST345561337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:22.353419065 CEST133734556176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:25.434741974 CEST345581337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:25.641824961 CEST133734558176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:27.354935884 CEST345601337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:27.554989100 CEST133734560176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:30.643630981 CEST345621337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:30.844820976 CEST133734562176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:32.556735039 CEST345641337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:32.758488894 CEST133734564176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:35.846754074 CEST345661337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:36.049565077 CEST133734566176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:37.760155916 CEST345681337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:37.961766005 CEST133734568176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:41.051935911 CEST345701337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:41.253380060 CEST133734570176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:42.963433027 CEST345721337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:43.164359093 CEST133734572176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:46.255335093 CEST345741337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:46.456927061 CEST133734574176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:48.166023970 CEST345761337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:48.372236967 CEST133734576176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:51.458503008 CEST345781337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:51.661187887 CEST133734578176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:53.373550892 CEST345801337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:53.575333118 CEST133734580176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:56.662957907 CEST345821337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:56.865864038 CEST133734582176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:35:58.576729059 CEST345841337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:35:58.776779890 CEST133734584176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:36:01.867928028 CEST345861337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:36:02.069044113 CEST133734586176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:36:03.778181076 CEST345881337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:36:03.980161905 CEST133734588176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:36:07.071060896 CEST345901337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:36:07.272506952 CEST133734590176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:36:08.987884045 CEST345921337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:36:09.190005064 CEST133734592176.65.144.18192.168.2.15
                                      Apr 2, 2025 08:36:12.274532080 CEST345941337192.168.2.15176.65.144.18
                                      Apr 2, 2025 08:36:12.476268053 CEST133734594176.65.144.18192.168.2.15
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Apr 2, 2025 08:32:40.498449087 CEST192.168.2.158.8.8.80x249Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                                      Apr 2, 2025 08:32:40.588748932 CEST192.168.2.158.8.8.80x7777Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Apr 2, 2025 08:32:40.588676929 CEST8.8.8.8192.168.2.150x249No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                                      Apr 2, 2025 08:32:40.588676929 CEST8.8.8.8192.168.2.150x249No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                                      System Behavior

                                      Start time (UTC):06:32:37
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:/tmp/FBI.arm.elf
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:37
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:37
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:37
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:37
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:37
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:39
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                      Start time (UTC):06:32:39
                                      Start date (UTC):02/04/2025
                                      Path:/tmp/FBI.arm.elf
                                      Arguments:-
                                      File size:4956856 bytes
                                      MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1