Edit tour

Linux Analysis Report
Space.sh4.elf

Overview

General Information

Sample name:Space.sh4.elf
Analysis ID:1654324
MD5:0bc43e1fbb92d110aa49e2f6e00c5260
SHA1:bcec5373f0fe5979046dbe4cfb270d73c3ae102c
SHA256:a42f68af1f0330f7fb69c6fea64feae2b7548667a1a95b62e827d7adc3e3fac9
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654324
Start date and time:2025-04-02 09:37:44 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Space.sh4.elf
Detection:MAL
Classification:mal64.linELF@0/0@0/0
Command:/tmp/Space.sh4.elf
PID:5528
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
Space.sh4.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
SourceRuleDescriptionAuthorStrings
5530.1.00007fc030400000.00007fc030414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5540.1.00007fc030400000.00007fc030414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5528.1.00007fc030400000.00007fc030414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5532.1.00007fc030400000.00007fc030414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x11058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1106c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x110f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1110c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11120:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11134:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11148:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1115c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11170:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11184:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11198:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x111e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.sh4.elf PID: 5528Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xab45:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xab59:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xab6d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xab81:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xab95:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaba9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xabbd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xabd1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xabe5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xabf9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac0d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac21:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac35:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac49:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac5d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac71:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac85:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xac99:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xacad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xacc1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xacd5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Space.sh4.elfAvira: detected
Source: Space.sh4.elfVirustotal: Detection: 63%Perma Link
Source: Space.sh4.elfReversingLabs: Detection: 63%
Source: global trafficTCP traffic: 192.168.2.15:40438 -> 176.65.144.220:3778
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220

System Summary

barindex
Source: Space.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5530.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5540.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5528.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5532.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.sh4.elf PID: 5528, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.sh4.elf PID: 5530, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.sh4.elf PID: 5532, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.sh4.elf PID: 5540, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Initial sampleString containing 'busybox' found: /bin/busybox
Source: Initial sampleString containing 'busybox' found: /proc/net/tcp.x86.x86_64.arm.arm5.arm6.arm7.mips.mipsel.sh4.ppc/proc/proc/%d/exe/proc/%s/statusrName:%s/bin/busybox/bin/systemd/usr/bintest/tmp/condi/tmp/zxcr9999/tmp/condinetwork/var/condibot/var/zxcr9999/var/CondiBot/var/condinet/bin/watchdog176.65.144.220
Source: ELF static info symbol of initial sample.symtab present: no
Source: Space.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5530.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5540.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5528.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5532.1.00007fc030400000.00007fc030414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.sh4.elf PID: 5528, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.sh4.elf PID: 5530, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.sh4.elf PID: 5532, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.sh4.elf PID: 5540, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal64.linELF@0/0@0/0
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/110/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/231/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/111/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/112/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/233/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/113/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/114/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/235/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/115/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1333/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/116/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1695/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/117/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/118/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/119/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/911/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/914/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/10/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/917/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/11/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/12/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/13/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/14/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/15/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/16/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/17/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/18/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/19/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1591/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/120/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/121/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/122/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/243/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/2/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/123/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/3/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/124/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1588/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/125/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/4/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/246/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/126/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/5/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/127/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/6/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1585/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/128/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/7/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/129/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/8/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/800/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/9/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/802/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/803/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/804/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/20/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/21/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/3407/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/22/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/23/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/24/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/25/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/26/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/27/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/28/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/29/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1484/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/490/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/250/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/130/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/251/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/131/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/132/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/133/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1479/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/378/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/258/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/259/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/931/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1595/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/812/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/933/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/30/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/3419/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/35/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/3310/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/260/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/261/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/262/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/142/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/263/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/264/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/265/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/145/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/266/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/267/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/268/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/3303/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/269/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1486/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/1806/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/3440/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/270/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)File opened: /proc/271/statusJump to behavior
Source: /tmp/Space.sh4.elf (PID: 5528)Queries kernel information via 'uname': Jump to behavior
Source: Space.sh4.elf, 5528.1.00007fff07b44000.00007fff07b65000.rw-.sdmp, Space.sh4.elf, 5530.1.00007fff07b44000.00007fff07b65000.rw-.sdmp, Space.sh4.elf, 5532.1.00007fff07b44000.00007fff07b65000.rw-.sdmp, Space.sh4.elf, 5540.1.00007fff07b44000.00007fff07b65000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: Space.sh4.elf, 5528.1.00007fff07b44000.00007fff07b65000.rw-.sdmp, Space.sh4.elf, 5530.1.00007fff07b44000.00007fff07b65000.rw-.sdmp, Space.sh4.elf, 5532.1.00007fff07b44000.00007fff07b65000.rw-.sdmp, Space.sh4.elf, 5540.1.00007fff07b44000.00007fff07b65000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/Space.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.sh4.elf
Source: Space.sh4.elf, 5528.1.00005601ee396000.00005601ee420000.rw-.sdmp, Space.sh4.elf, 5530.1.00005601ee396000.00005601ee3f9000.rw-.sdmp, Space.sh4.elf, 5532.1.00005601ee396000.00005601ee3f9000.rw-.sdmp, Space.sh4.elf, 5540.1.00005601ee396000.00005601ee420000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: Space.sh4.elf, 5528.1.00005601ee396000.00005601ee420000.rw-.sdmp, Space.sh4.elf, 5530.1.00005601ee396000.00005601ee3f9000.rw-.sdmp, Space.sh4.elf, 5532.1.00005601ee396000.00005601ee3f9000.rw-.sdmp, Space.sh4.elf, 5540.1.00005601ee396000.00005601ee420000.rw-.sdmpBinary or memory string: V5!/etc/qemu-binfmt/sh4
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654324 Sample: Space.sh4.elf Startdate: 02/04/2025 Architecture: LINUX Score: 64 20 176.65.144.220, 3778, 40438, 40440 PALTEL-ASPALTELAutonomousSystemPS Germany 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 8 Space.sh4.elf 2->8         started        signatures3 process4 process5 10 Space.sh4.elf 8->10         started        12 Space.sh4.elf 8->12         started        14 Space.sh4.elf 8->14         started        process6 16 Space.sh4.elf 10->16         started        18 Space.sh4.elf 10->18         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Space.sh4.elf63%VirustotalBrowse
Space.sh4.elf64%ReversingLabsLinux.Backdoor.Mirai
Space.sh4.elf100%AviraLINUX/Mirai.bonb
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
176.65.144.220
unknownGermany
12975PALTEL-ASPALTELAutonomousSystemPSfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
176.65.144.220Space.x86.elfGet hashmaliciousUnknownBrowse
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    PALTEL-ASPALTELAutonomousSystemPSSpace.x86.elfGet hashmaliciousUnknownBrowse
    • 176.65.144.220
    FBI.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.arm.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 176.65.144.18
    No context
    No context
    No created / dropped files found
    File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.603221573851322
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:Space.sh4.elf
    File size:82'652 bytes
    MD5:0bc43e1fbb92d110aa49e2f6e00c5260
    SHA1:bcec5373f0fe5979046dbe4cfb270d73c3ae102c
    SHA256:a42f68af1f0330f7fb69c6fea64feae2b7548667a1a95b62e827d7adc3e3fac9
    SHA512:d84458a5f50362ed4cd1b3f5c462ca52d44b8c2e9dfb428a49ddd9ffbbfa4233ad570f7bdef77f760a1075fb1ca1e65b235c371f03c36c619d713efe3bffa574
    SSDEEP:1536:DWRU/uih+nyazXUcMnYVohwH5wX6SNmTdEyRqr:DR/F+nyazXenY66L5dRS
    TLSH:A2839E61F0146CE5C8660674F0F8ED35471369F123A52CB26EEEE9A188F368DF44AF94
    File Content Preview:.ELF..............*.......@.4...LA......4. ...(...............@...@.L4..L4...............@...@B..@B.0...............Q.td..............................././"O.n......#.*@........#.*@L...&O.n.l..................................././.../.a"O.!...n...a.b("...q.

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:<unknown>
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x4001a0
    Flags:0xc
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:82252
    Section Header Size:40
    Number of Section Headers:10
    Header String Table Index:9
    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x4000940x940x2e0x00x6AX004
    .textPROGBITS0x4000e00xe00x10e600x00x6AX0032
    .finiPROGBITS0x410f400x10f400x220x00x6AX004
    .rodataPROGBITS0x410f640x10f640x24e80x00x2A004
    .ctorsPROGBITS0x4240dc0x140dc0x80x00x3WA004
    .dtorsPROGBITS0x4240e40x140e40x80x00x3WA004
    .dataPROGBITS0x4240f00x140f00x1c0x00x3WA004
    .bssNOBITS0x42410c0x1410c0xaec0x00x3WA004
    .shstrtabSTRTAB0x00x1410c0x3e0x00x0001
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x1344c0x1344c6.77550x5R E0x10000.init .text .fini .rodata
    LOAD0x140dc0x4240dc0x4240dc0x300xb1c2.47110x6RW 0x10000.ctors .dtors .data .bss
    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Apr 2, 2025 09:38:33.615668058 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:33.821177006 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:33.821238041 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:33.829215050 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:34.451585054 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:34.656433105 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:40.630580902 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:40.836882114 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:40.836965084 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:40.906138897 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:41.111310959 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:41.111377954 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:41.318708897 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:43.839720011 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:44.041755915 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:44.041786909 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:44.042002916 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:50.916642904 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:51.118341923 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:51.118403912 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:51.118803024 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:38:59.400835991 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:38:59.401109934 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:06.569751024 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:06.570035934 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:14.604984999 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:14.605145931 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:21.776839972 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:21.777036905 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:29.811558008 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:29.811691999 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:36.984416008 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:36.984698057 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:44.101696014 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:44.306579113 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:44.306768894 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:51.176548958 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:51.376840115 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:51.377192020 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:39:59.564315081 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:39:59.564491987 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:06.733294010 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:40:06.733825922 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:14.765433073 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:40:14.765640020 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:21.937287092 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:40:21.937529087 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:29.970649958 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:40:29.970824003 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:37.196491957 CEST377840440176.65.144.220192.168.2.15
    Apr 2, 2025 09:40:37.196697950 CEST404403778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:44.366333008 CEST404383778192.168.2.15176.65.144.220
    Apr 2, 2025 09:40:44.568077087 CEST377840438176.65.144.220192.168.2.15
    Apr 2, 2025 09:40:44.568450928 CEST404383778192.168.2.15176.65.144.220

    System Behavior

    Start time (UTC):07:38:32
    Start date (UTC):02/04/2025
    Path:/tmp/Space.sh4.elf
    Arguments:/tmp/Space.sh4.elf
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

    Start time (UTC):07:38:32
    Start date (UTC):02/04/2025
    Path:/tmp/Space.sh4.elf
    Arguments:-
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

    Start time (UTC):07:38:32
    Start date (UTC):02/04/2025
    Path:/tmp/Space.sh4.elf
    Arguments:-
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

    Start time (UTC):07:38:32
    Start date (UTC):02/04/2025
    Path:/tmp/Space.sh4.elf
    Arguments:-
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

    Start time (UTC):07:38:39
    Start date (UTC):02/04/2025
    Path:/tmp/Space.sh4.elf
    Arguments:-
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

    Start time (UTC):07:38:39
    Start date (UTC):02/04/2025
    Path:/tmp/Space.sh4.elf
    Arguments:-
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9