Edit tour

Linux Analysis Report
FBI.mpsl.elf

Overview

General Information

Sample name:	FBI.mpsl.elf
Analysis ID:	1654271
MD5:	5ec356608a575cf57e0b90019dc1edff
SHA1:	6f7b194628b403e1b66420bec9cf853337c0d7a8
SHA256:	e5240047c2b3d7fd7e1e54f5bd18554f0d22c6f6ecfe06be38e27bffd4efe6e1
Tags:	elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai

Score:	80
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Gafgyt

Yara detected Mirai

Detected TCP or UDP traffic on non-standard ports

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings that are user agent strings indicative of HTTP manipulation

Sample has stripped symbol table

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654271
Start date and time:	2025-04-02 08:35:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	FBI.mpsl.elf
Detection:	MAL
Classification:	mal80.troj.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/FBI.mpsl.elf
PID:	6267
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 8 (Floating point exception) - core dumped qemu: uncaught target signal 8 (Floating point exception) - core dumped qemu: uncaught target signal 8 (Floating point exception) - core dumped qemu: uncaught target signal 8 (Floating point exception) - core dumped

Process Tree

system is lnxubuntu20

FBI.mpsl.elf (PID: 6267, Parent: 6182, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/FBI.mpsl.elf

FBI.mpsl.elf New Fork (PID: 6269, Parent: 6267)

FBI.mpsl.elf New Fork (PID: 6271, Parent: 6267)

FBI.mpsl.elf New Fork (PID: 6273, Parent: 6271)

FBI.mpsl.elf New Fork (PID: 6275, Parent: 6273)

FBI.mpsl.elf New Fork (PID: 6277, Parent: 6275)

FBI.mpsl.elf New Fork (PID: 6293, Parent: 6271)

FBI.mpsl.elf New Fork (PID: 6295, Parent: 6293)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
FBI.mpsl.elf	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
FBI.mpsl.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
FBI.mpsl.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1cc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
FBI.mpsl.elf	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1cbb4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

Memory Dumps

Source	Rule	Description	Author	Strings
6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1cc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1cbb4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1cc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1cbb4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1cc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1cbb4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1cc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1cbb4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1cc04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cc90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cca4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cccc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cce0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1ccf4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd6c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd80:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1cd94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1cbb4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: FBI.mpsl.elf PID: 6267	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: FBI.mpsl.elf PID: 6267	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x97f9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x980d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9821:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9835:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9849:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x985d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9871:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9885:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9899:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9911:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9925:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9939:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x994d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9961:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9975:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9989:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: FBI.mpsl.elf PID: 6267	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x97ac:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64 0x9dee:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: FBI.mpsl.elf PID: 6275	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: FBI.mpsl.elf PID: 6275	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x6047:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x605b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x606f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6083:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6097:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x60fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x610f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6123:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6137:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x614b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x615f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6173:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6187:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x619b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x61af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x61c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x61d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: FBI.mpsl.elf PID: 6275	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x5ffa:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64 0x663c:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: FBI.mpsl.elf PID: 6277	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: FBI.mpsl.elf PID: 6277	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x658b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x659f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x65b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x65c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x65db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x65ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6603:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6617:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x662b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x663f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6653:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6667:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x667b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x668f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x66a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x66b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x66cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x66df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x66f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x6707:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x671b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: FBI.mpsl.elf PID: 6277	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x653e:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64 0x6b80:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: FBI.mpsl.elf PID: 6293	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: FBI.mpsl.elf PID: 6293	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x9241:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9255:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9269:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x927d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9291:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92a5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92b9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92cd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92e1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x92f5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9309:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x931d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9331:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9345:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9359:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x936d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9381:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9395:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x93a9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x93bd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x93d1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: FBI.mpsl.elf PID: 6293	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x91f4:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64 0x9836:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Process Memory Space: FBI.mpsl.elf PID: 6295	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: FBI.mpsl.elf PID: 6295	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3bc9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bdd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3bf1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c05:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c19:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c2d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c41:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c55:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c69:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c7d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3c91:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ca5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cb9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ccd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ce1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3cf5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3d09:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3d1d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3d31:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3d45:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3d59:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: FBI.mpsl.elf PID: 6295	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x3b7c:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64 0x41be:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 30 entries

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FBI.mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: FBI.mpsl.elf	Virustotal: Detection: 63%			Perma Link
Source: FBI.mpsl.elf	ReversingLabs: Detection: 61%

Source: global traffic

TCP traffic: 192.168.2.23:36258 -> 176.65.144.18:1337

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18
Source: unknown	TCP traffic detected without corresponding DNS query: 176.65.144.18

Source: FBI.mpsl.elf	String found in binary or memory: http://fast.no/support/crawler.asp)
Source: FBI.mpsl.elf	String found in binary or memory: http://feedback.redkolibri.com/
Source: FBI.mpsl.elf	String found in binary or memory: http://www.baidu.com/search/spider.htm)
Source: FBI.mpsl.elf	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: FBI.mpsl.elf	String found in binary or memory: http://www.billybobbot.com/crawler/)

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: FBI.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: FBI.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6267, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6267, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6275, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6275, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6277, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6277, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6293, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6293, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6295, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: FBI.mpsl.elf PID: 6295, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: BusyBox
Source: Initial sample	String containing 'busybox' found: 20+!g}]/proc/self/maps/proc//maps/root//tmp//var/run/mnt/BinsameccountoginnterhraseordeyshellsystemenablebusyboxBusyBoxBuilt-in107.182.129.217

Source: ELF static info symbol of initial sample

.symtab present: no

Source: FBI.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: FBI.mpsl.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6267, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6267, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6275, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6275, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6277, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6277, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6293, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6293, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6295, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: FBI.mpsl.elf PID: 6295, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.troj.linELF@0/0@0/0

Source: submitted sample

Stderr: qemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumpedqemu: uncaught target signal 8 (Floating point exception) - core dumped: exit code = 0

Source: /tmp/FBI.mpsl.elf (PID: 6267)

Queries kernel information via 'uname':

Jump to behavior

Source: FBI.mpsl.elf, 6267.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6275.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6277.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6293.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6295.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: FBI.mpsl.elf, 6267.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6275.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6277.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6293.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp, FBI.mpsl.elf, 6295.1.000055c5e1c57000.000055c5e1cde000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: FBI.mpsl.elf, 6267.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6275.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6277.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6293.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6295.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp	Binary or memory string: fx86_64/usr/bin/qemu-mipsel/tmp/FBI.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/FBI.mpsl.elf
Source: FBI.mpsl.elf, 6275.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6277.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6293.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6295.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 8 (Floating point exception) - core dumped
Source: FBI.mpsl.elf, 6267.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6275.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6277.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6293.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp, FBI.mpsl.elf, 6295.1.00007ffc3dc79000.00007ffc3dc9a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: FBI.mpsl.elf, type: SAMPLE
Source: Yara match	File source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: FBI.mpsl.elf, type: SAMPLE
Source: Yara match	File source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6267, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6275, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6277, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6293, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6295, type: MEMORYSTR

Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Source: Initial sample	User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
Source: Initial sample	User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
Source: Initial sample	User agent string found: Mozilla/5.0 (iPad; U; CPU OS 5_1 like Mac OS X) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10 UCBrowser/3.4.3.532
Source: Initial sample	User agent string found: Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; cn) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Source: Initial sample	User agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample	User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample	User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match	File source: FBI.mpsl.elf, type: SAMPLE
Source: Yara match	File source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: FBI.mpsl.elf, type: SAMPLE
Source: Yara match	File source: 6275.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6295.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6267.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6293.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6277.1.00007f1bb0400000.00007f1bb0420000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6267, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6275, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6277, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6293, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FBI.mpsl.elf PID: 6295, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FBI.mpsl.elf	63%	Virustotal		Browse
FBI.mpsl.elf	61%	ReversingLabs	Linux.Backdoor.DemonBot
FBI.mpsl.elf	100%	Avira	EXP/ELF.Mirai.Z

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.baidu.com/search/spider.html)	FBI.mpsl.elf	false	high
http://www.billybobbot.com/crawler/)	FBI.mpsl.elf	false	high
http://fast.no/support/crawler.asp)	FBI.mpsl.elf	false	high
http://feedback.redkolibri.com/	FBI.mpsl.elf	false	high
http://www.baidu.com/search/spider.htm)	FBI.mpsl.elf	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.65.144.18	unknown	Germany	12975	PALTEL-ASPALTELAutonomousSystemPS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.65.144.18	FBI.arm.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	rjfe686.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Mirai	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	efefa7.elf	Get hash	malicious	Mirai	Browse
91.189.91.42	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	rjfe686.elf	Get hash	malicious	Unknown	Browse
	aarch64.elf	Get hash	malicious	Mirai	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	efefa7.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	rjfe686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	185.125.190.26
	aarch64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vejfa5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
PALTEL-ASPALTELAutonomousSystemPS	FBI.arm.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.sh4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.arm7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.ppc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	FBI.arm6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.65.144.18
	clip64.dll	Get hash	malicious	Amadey	Browse	176.65.137.193
	clip64.dll	Get hash	malicious	Amadey	Browse	176.65.137.193
CANONICAL-ASGB	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	arm5.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	rjfe686.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	185.125.190.26
	aarch64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	vejfa5.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
INIT7CH	FBI.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	FBI.arm5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	arm5.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	rjfe686.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	aarch64.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	sh4.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	efefa7.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.53377314222002
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	FBI.mpsl.elf
File size:	150'112 bytes
MD5:	5ec356608a575cf57e0b90019dc1edff
SHA1:	6f7b194628b403e1b66420bec9cf853337c0d7a8
SHA256:	e5240047c2b3d7fd7e1e54f5bd18554f0d22c6f6ecfe06be38e27bffd4efe6e1
SHA512:	40c77a6ca2cfb422ee13996eac9c6b06a90be800a5206de504ce24edaa1219da247b90805560cbab4d1beecc4719160e78725d9114875db3d7b04ecff36b9281
SSDEEP:	1536:l3M2bKBo+0NFgNZhEyv2zJuoaZ8jCSRCt6+5Jx0/Jwq75hsp8nKxD:tYhEVzPasCB/e575hsp8nK
TLSH:	CEE3D606BF109EB7C81FDD3301F98B0124CCB49725A53B6B3674DA69BA5A58B05E3CE4
File Content Preview:	.ELF......................@.4...hG......4. ...(........p......@...@...........................@...@.\|...\|.....................F...F.....tv..........Q.td................................................P.F....<...'!......'.......................<`..'!... ..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x4002a0
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	4
Section Header Offset:	149352
Section Header Size:	40
Number of Section Headers:	19
Header String Table Index:	18

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.reginfo	MIPS_REGINFO	0x4000b4	0xb4	0x18	0x18	0x2	A	4
.init	PROGBITS	0x4000cc	0xcc	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400160	0x160	0x1acb0	0x0	0x6	AX	16
.fini	PROGBITS	0x41ae10	0x1ae10	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x41ae70	0x1ae70	0x4c08	0x0	0x2	A	16
.eh_frame	PROGBITS	0x41fa78	0x1fa78	0x4	0x0	0x2	A	4
.ctors	PROGBITS	0x460000	0x20000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x460008	0x20008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x460010	0x20010	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x460014	0x20014	0x4f4	0x0	0x3	WA	4
.data	PROGBITS	0x460510	0x20510	0x550	0x0	0x3	WA	16
.got	PROGBITS	0x460a60	0x20a60	0x5a4	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x461004	0x21004	0x24	0x0	0x10000003	WAp	4
.bss	NOBITS	0x461030	0x21004	0x6644	0x0	0x3	WA	16
.comment	PROGBITS	0x0	0x21004	0xdb6	0x0	0x0		1
.mdebug.abi32	PROGBITS	0xdb6	0x21dba	0x0	0x0	0x0		1
.pdr	PROGBITS	0x0	0x21dbc	0x2920	0x0	0x0		4
.shstrtab	STRTAB	0x0	0x246dc	0x8a	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
<unknown>	0xb4	0x4000b4	0x4000b4	0x18	0x18	0.9834	0x4	R	0x4	.reginfo
LOAD	0x0	0x400000	0x400000	0x1fa7c	0x1fa7c	5.6819	0x5	R E	0x10000	.reginfo .init .text .fini .rodata .eh_frame
LOAD	0x20000	0x460000	0x460000	0x1004	0x7674	4.4184	0x6	RW	0x10000	.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 89
• 1337 undefined
• 443 (HTTPS)
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 08:36:09.165496111 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 2, 2025 08:36:09.427630901 CEST	36258	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:09.629386902 CEST	1337	36258	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:11.524851084 CEST	36260	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:11.728660107 CEST	1337	36260	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:14.632194042 CEST	36262	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:14.792840004 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 2, 2025 08:36:14.836534977 CEST	1337	36262	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:16.783261061 CEST	36264	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:16.986156940 CEST	1337	36264	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:19.839278936 CEST	36266	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:20.040972948 CEST	1337	36266	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:21.987889051 CEST	36268	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:22.188610077 CEST	1337	36268	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:25.042972088 CEST	36270	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:25.247956991 CEST	1337	36270	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:27.191226006 CEST	36272	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:27.392955065 CEST	1337	36272	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:30.250363111 CEST	36274	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:30.452588081 CEST	1337	36274	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:30.918682098 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 2, 2025 08:36:32.395035028 CEST	36276	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:32.595076084 CEST	1337	36276	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:35.455574036 CEST	36278	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:35.658128977 CEST	1337	36278	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:37.061834097 CEST	42516	80	192.168.2.23	109.202.202.202
Apr 2, 2025 08:36:37.597662926 CEST	36280	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:37.801472902 CEST	1337	36280	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:40.661027908 CEST	36282	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:40.862859011 CEST	1337	36282	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:41.157196999 CEST	42836	443	192.168.2.23	91.189.91.43
Apr 2, 2025 08:36:42.804272890 CEST	36284	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:43.005748987 CEST	1337	36284	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:45.865175962 CEST	36286	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:46.073559046 CEST	1337	36286	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:48.008570910 CEST	36288	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:48.209253073 CEST	1337	36288	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:51.076014042 CEST	36290	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:51.277256012 CEST	1337	36290	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:53.212095022 CEST	36292	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:53.418327093 CEST	1337	36292	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:56.279875040 CEST	36294	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:56.481590033 CEST	1337	36294	176.65.144.18	192.168.2.23
Apr 2, 2025 08:36:58.420926094 CEST	36296	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:36:58.629116058 CEST	1337	36296	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:01.484853983 CEST	36298	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:01.691559076 CEST	1337	36298	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:03.631612062 CEST	36300	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:03.832581043 CEST	1337	36300	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:06.694257975 CEST	36302	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:06.894176960 CEST	1337	36302	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:08.834630013 CEST	36304	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:09.036812067 CEST	1337	36304	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:11.873239994 CEST	43928	443	192.168.2.23	91.189.91.42
Apr 2, 2025 08:37:11.896639109 CEST	36306	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:12.098953962 CEST	1337	36306	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:14.038635015 CEST	36308	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:14.241641998 CEST	1337	36308	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:17.102263927 CEST	36310	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:17.306164980 CEST	1337	36310	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:19.244275093 CEST	36312	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:19.450953007 CEST	1337	36312	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:22.308676004 CEST	36314	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:22.509375095 CEST	1337	36314	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:24.454011917 CEST	36316	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:24.661329985 CEST	1337	36316	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:27.512271881 CEST	36318	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:27.716869116 CEST	1337	36318	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:29.664716005 CEST	36320	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:29.869718075 CEST	1337	36320	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:32.720088005 CEST	36322	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:32.922862053 CEST	1337	36322	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:34.873473883 CEST	36324	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:35.075864077 CEST	1337	36324	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:37.928033113 CEST	36326	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:38.129781961 CEST	1337	36326	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:40.079478025 CEST	36328	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:40.281208038 CEST	1337	36328	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:43.134171009 CEST	36330	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:43.335202932 CEST	1337	36330	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:45.286577940 CEST	36332	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:45.491738081 CEST	1337	36332	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:48.340688944 CEST	36334	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:48.543153048 CEST	1337	36334	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:50.496119022 CEST	36336	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:50.698600054 CEST	1337	36336	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:53.547660112 CEST	36338	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:53.749162912 CEST	1337	36338	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:55.702527046 CEST	36340	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:55.906050920 CEST	1337	36340	176.65.144.18	192.168.2.23
Apr 2, 2025 08:37:58.751288891 CEST	36342	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:37:58.967194080 CEST	1337	36342	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:00.908622026 CEST	36344	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:01.110358953 CEST	1337	36344	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:03.969854116 CEST	36346	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:04.172036886 CEST	1337	36346	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:06.113214970 CEST	36348	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:06.323759079 CEST	1337	36348	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:09.174057007 CEST	36350	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:09.375483036 CEST	1337	36350	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:11.325979948 CEST	36352	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:11.527751923 CEST	1337	36352	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:14.378012896 CEST	36354	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:14.581855059 CEST	1337	36354	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:16.529333115 CEST	36356	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:16.729541063 CEST	1337	36356	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:19.584440947 CEST	36358	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:19.792407036 CEST	1337	36358	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:21.731489897 CEST	36360	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:21.932043076 CEST	1337	36360	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:24.796658993 CEST	36362	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:24.998831034 CEST	1337	36362	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:26.934324980 CEST	36364	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:27.138519049 CEST	1337	36364	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:30.000878096 CEST	36366	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:30.203708887 CEST	1337	36366	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:32.140444040 CEST	36368	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:32.342273951 CEST	1337	36368	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:35.205533981 CEST	36370	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:35.409224987 CEST	1337	36370	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:37.344921112 CEST	36372	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:37.547204971 CEST	1337	36372	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:40.411056995 CEST	36374	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:40.613432884 CEST	1337	36374	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:42.549432993 CEST	36376	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:42.751296043 CEST	1337	36376	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:45.615854979 CEST	36378	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:45.820348024 CEST	1337	36378	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:47.753609896 CEST	36380	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:47.954010010 CEST	1337	36380	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:50.822977066 CEST	36382	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:51.023027897 CEST	1337	36382	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:52.957117081 CEST	36384	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:53.157120943 CEST	1337	36384	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:56.025661945 CEST	36386	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:56.226732969 CEST	1337	36386	176.65.144.18	192.168.2.23
Apr 2, 2025 08:38:58.160197020 CEST	36388	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:38:58.365322113 CEST	1337	36388	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:01.229341984 CEST	36390	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:01.433685064 CEST	1337	36390	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:03.368230104 CEST	36392	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:03.572371006 CEST	1337	36392	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:06.435250044 CEST	36394	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:06.636955023 CEST	1337	36394	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:08.574146986 CEST	36396	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:08.774789095 CEST	1337	36396	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:11.639420986 CEST	36398	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:11.839792013 CEST	1337	36398	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:13.777468920 CEST	36400	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:13.978708029 CEST	1337	36400	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:16.841656923 CEST	36402	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:17.044996023 CEST	1337	36402	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:18.981148005 CEST	36404	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:19.184350014 CEST	1337	36404	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:22.047316074 CEST	36406	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:22.250467062 CEST	1337	36406	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:24.186400890 CEST	36408	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:24.388437986 CEST	1337	36408	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:27.253592968 CEST	36410	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:27.453329086 CEST	1337	36410	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:29.391012907 CEST	36412	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:29.592472076 CEST	1337	36412	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:32.455859900 CEST	36414	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:32.657147884 CEST	1337	36414	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:34.594707966 CEST	36416	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:34.797960043 CEST	1337	36416	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:37.660707951 CEST	36418	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:37.862453938 CEST	1337	36418	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:39.799875975 CEST	36420	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:40.002068043 CEST	1337	36420	176.65.144.18	192.168.2.23
Apr 2, 2025 08:39:42.865844965 CEST	36422	1337	192.168.2.23	176.65.144.18
Apr 2, 2025 08:39:43.067245007 CEST	1337	36422	176.65.144.18	192.168.2.23

System Behavior

Analysis Process: FBI.mpsl.elf PID: 6267, Parent PID: 6182

General

Start time (UTC):	06:36:08
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	/tmp/FBI.mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

File Activities

File Opened

File Read

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6269, Parent PID: 6267

General

Start time (UTC):	06:36:09
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Thread Sleep

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6271, Parent PID: 6267

General

Start time (UTC):	06:36:09
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

File Activities

File Opened

Process Activities

Process Forked

Prctl Requested

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6273, Parent PID: 6271

General

Start time (UTC):	06:36:09
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

File Activities

File Opened

Process Activities

Process Forked

Prctl Requested

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6275, Parent PID: 6273

General

Start time (UTC):	06:36:09
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Forked

Signal Sent

Thread Sleep

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6277, Parent PID: 6275

General

Start time (UTC):	06:36:09
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Signal Sent

Thread Sleep

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6293, Parent PID: 6271

General

Start time (UTC):	06:36:11
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Process Activities

Process Forked

Signal Sent

Thread Sleep

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6295, Parent PID: 6293

General

Start time (UTC):	06:36:11
Start date (UTC):	02/04/2025
Path:	/tmp/FBI.mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report FBI.mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: FBI.mpsl.elf PID: 6267, Parent PID: 6182

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6269, Parent PID: 6267

General

Process Activities

Thread Sleep

Chronological Activities

Analysis Process: FBI.mpsl.elf PID: 6271, Parent PID: 6267

General

Linux Analysis Report
FBI.mpsl.elf