Create Interactive Tour

Linux Analysis Report
Space.arm.elf

Overview

General Information

Sample name:Space.arm.elf
Analysis ID:1654339
MD5:0ede55171fac39b327b72cc5623417f3
SHA1:5eec95395343854bf3633a912fe1effbe7277428
SHA256:771edbbfab988b9003ee489c6edc9fe056539aa6bcfccaf73d31869e9676540a
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:68
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654339
Start date and time:2025-04-02 09:52:46 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Space.arm.elf
Detection:MAL
Classification:mal68.troj.evad.linELF@0/0@0/0
Command:/tmp/Space.arm.elf
PID:5489
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5491.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    5491.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    5509.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5509.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x11f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1201c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1206c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12080:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x12094:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x120a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x120bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      5493.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        Click to see the 11 entries
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: Space.arm.elfVirustotal: Detection: 29%Perma Link
        Source: Space.arm.elfReversingLabs: Detection: 47%
        Source: global trafficTCP traffic: 192.168.2.14:42786 -> 176.65.144.220:3778
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.220
        Source: Space.arm.elfString found in binary or memory: http://upx.sf.net

        System Summary

        barindex
        Source: 5491.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5509.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5493.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 5489.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm.elf PID: 5489, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm.elf PID: 5491, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm.elf PID: 5493, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: Space.arm.elf PID: 5509, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: LOAD without section mappingsProgram segment: 0x8000
        Source: 5491.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5509.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5493.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 5489.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm.elf PID: 5489, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm.elf PID: 5491, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm.elf PID: 5493, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: Space.arm.elf PID: 5509, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: classification engineClassification label: mal68.troj.evad.linELF@0/0@0/0

        Data Obfuscation

        barindex
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
        Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3760/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1583/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/2672/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/110/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3759/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/111/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/112/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/113/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/234/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1577/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/114/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/235/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/115/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/116/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/117/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/118/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/119/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3757/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/10/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/917/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3758/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/11/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/12/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/13/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/14/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/15/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/16/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/17/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/18/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/19/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1593/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/240/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/120/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3094/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/121/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/242/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3406/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/122/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/243/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/2/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/123/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/244/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1589/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/124/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/245/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1588/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/125/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/4/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/246/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3402/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/126/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/5/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/247/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/127/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/6/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/248/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/128/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/7/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/249/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/8/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/129/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/800/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/9/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/801/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/803/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/20/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/806/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/21/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/807/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/928/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/22/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/23/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/24/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/25/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/26/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/27/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/28/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/29/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3420/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/490/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/250/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/130/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/251/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/131/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/252/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/132/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/253/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/254/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/255/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/135/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/256/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1599/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/257/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/378/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/258/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3412/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/259/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/30/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/35/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/3670/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/1371/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/260/statusJump to behavior
        Source: /tmp/Space.arm.elf (PID: 5489)File opened: /proc/261/statusJump to behavior
        Source: Space.arm.elfSubmission file: segment LOAD with 7.9701 entropy (max. 8.0)
        Source: /tmp/Space.arm.elf (PID: 5489)Queries kernel information via 'uname': Jump to behavior
        Source: Space.arm.elf, 5489.1.000056384f4e5000.000056384f695000.rw-.sdmp, Space.arm.elf, 5491.1.000056384f4e5000.000056384f673000.rw-.sdmp, Space.arm.elf, 5493.1.000056384f4e5000.000056384f673000.rw-.sdmp, Space.arm.elf, 5509.1.000056384f4e5000.000056384f695000.rw-.sdmpBinary or memory string: OO8V!/etc/qemu-binfmt/arm
        Source: Space.arm.elf, 5489.1.000056384f4e5000.000056384f695000.rw-.sdmp, Space.arm.elf, 5491.1.000056384f4e5000.000056384f673000.rw-.sdmp, Space.arm.elf, 5493.1.000056384f4e5000.000056384f673000.rw-.sdmp, Space.arm.elf, 5509.1.000056384f4e5000.000056384f695000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: Space.arm.elf, 5489.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmp, Space.arm.elf, 5491.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmp, Space.arm.elf, 5493.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmp, Space.arm.elf, 5509.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/Space.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.arm.elf
        Source: Space.arm.elf, 5489.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmp, Space.arm.elf, 5491.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmp, Space.arm.elf, 5493.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmp, Space.arm.elf, 5509.1.00007fff8a75d000.00007fff8a77e000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 5491.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5509.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5493.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5489.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5489, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5491, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5493, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5509, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 5491.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5509.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5493.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 5489.1.00007f8fa8017000.00007f8fa802c000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5489, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5491, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5493, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Space.arm.elf PID: 5509, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
        Obfuscated Files or Information
        1
        OS Credential Dumping
        11
        Security Software Discovery
        Remote ServicesData from Local System1
        Non-Standard Port
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654339 Sample: Space.arm.elf Startdate: 02/04/2025 Architecture: LINUX Score: 68 20 176.65.144.220, 3778, 42786, 42788 PALTEL-ASPALTELAutonomousSystemPS Germany 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Mirai 2->26 28 Sample is packed with UPX 2->28 8 Space.arm.elf 2->8         started        signatures3 process4 process5 10 Space.arm.elf 8->10         started        12 Space.arm.elf 8->12         started        14 Space.arm.elf 8->14         started        process6 16 Space.arm.elf 10->16         started        18 Space.arm.elf 10->18         started       
        SourceDetectionScannerLabelLink
        Space.arm.elf30%VirustotalBrowse
        Space.arm.elf47%ReversingLabsLinux.Backdoor.Mirai
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches

        Download Network PCAP: filteredfull

        No contacted domains info
        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netSpace.arm.elffalse
          high
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          176.65.144.220
          unknownGermany
          12975PALTEL-ASPALTELAutonomousSystemPSfalse
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          176.65.144.220Space.arm7.elfGet hashmaliciousMiraiBrowse
            Space.x86_64.elfGet hashmaliciousUnknownBrowse
              Space.ppc.elfGet hashmaliciousUnknownBrowse
                Space.i686.elfGet hashmaliciousUnknownBrowse
                  Space.mpsl.elfGet hashmaliciousUnknownBrowse
                    Space.sh4.elfGet hashmaliciousUnknownBrowse
                      Space.x86.elfGet hashmaliciousUnknownBrowse
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PALTEL-ASPALTELAutonomousSystemPSSpace.arm7.elfGet hashmaliciousMiraiBrowse
                        • 176.65.144.220
                        Space.x86_64.elfGet hashmaliciousUnknownBrowse
                        • 176.65.144.220
                        Space.ppc.elfGet hashmaliciousUnknownBrowse
                        • 176.65.144.220
                        Space.i686.elfGet hashmaliciousUnknownBrowse
                        • 176.65.144.220
                        Space.mpsl.elfGet hashmaliciousUnknownBrowse
                        • 176.65.144.220
                        Space.sh4.elfGet hashmaliciousUnknownBrowse
                        • 176.65.144.220
                        Space.x86.elfGet hashmaliciousUnknownBrowse
                        • 176.65.144.220
                        FBI.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 176.65.144.18
                        FBI.arm.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 176.65.144.18
                        FBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 176.65.144.18
                        No context
                        No context
                        No created / dropped files found
                        File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
                        Entropy (8bit):7.968236794788855
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:Space.arm.elf
                        File size:39'296 bytes
                        MD5:0ede55171fac39b327b72cc5623417f3
                        SHA1:5eec95395343854bf3633a912fe1effbe7277428
                        SHA256:771edbbfab988b9003ee489c6edc9fe056539aa6bcfccaf73d31869e9676540a
                        SHA512:eb1c1b4f89a95e1b34b18dbf59987a1fa6998405cf55aa780398df5aa08da1a863b752557cffc7aee5a298ccd5f7d34a2d7198a80b50d00ab5f48fed09ef3221
                        SSDEEP:768:eu7RATMUu4f7RDdP6NM8I52VNbvdFsDJ4yips3UozOd:TRAC4fNDdP6N5pd+D7i0zOd
                        TLSH:D203F196BD4AD511D8A04134EE3F0416FE3BEEBCC2DB7014A1250939B9D1A47753CBE6
                        File Content Preview:.ELF...a..........(.........4...........4. ...(....................._..._................{...{...{..................Q.td............................s.y.UPX!.........T...T......S..........?.E.h;.}...^..........fK..z..,vU...].XLU..0.)..0(7n..V5.'...,;.q9...

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:ARM - ABI
                        ABI Version:0
                        Entry Point Address:0x106b0
                        Flags:0x202
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0
                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x80000x80000x985f0x985f7.97010x5R E0x8000
                        LOAD0x7bc80x27bc80x27bc80x00x00.00000x6RW 0x8000
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Download Network PCAP: filteredfull

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 2, 2025 09:53:32.053217888 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:32.257558107 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:32.257683039 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:32.266262054 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:32.468152046 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:32.468221903 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:32.672430038 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:38.286439896 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:38.488095999 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:38.488156080 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:39.308897972 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:39.508872032 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:39.509002924 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:39.511251926 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:39.712064981 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:39.712158918 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:39.912364006 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:42.268125057 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:42.471498013 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:42.496442080 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:42.497232914 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:49.521315098 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:49.722440958 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:49.762557983 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:49.762798071 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:53:57.708683014 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:53:57.708806038 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:05.133290052 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:05.133534908 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:12.914273024 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:12.914402962 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:20.336179018 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:20.336503983 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:28.116416931 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:28.116652012 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:35.540668011 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:35.540930986 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:42.545506954 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:42.763668060 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:42.763809919 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:49.806946993 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:50.011374950 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:50.043829918 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:50.043952942 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:54:58.133730888 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:54:58.133884907 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:05.294018030 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:05.294234991 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:13.338356018 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:13.338677883 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:20.496460915 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:20.496702909 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:28.588382006 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:28.588536024 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:35.700289965 CEST377842788176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:35.700541019 CEST427883778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:42.816768885 CEST427863778192.168.2.14176.65.144.220
                        Apr 2, 2025 09:55:43.060399055 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:43.078448057 CEST377842786176.65.144.220192.168.2.14
                        Apr 2, 2025 09:55:43.078535080 CEST427863778192.168.2.14176.65.144.220

                        System Behavior

                        Start time (UTC):07:53:30
                        Start date (UTC):02/04/2025
                        Path:/tmp/Space.arm.elf
                        Arguments:/tmp/Space.arm.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):07:53:31
                        Start date (UTC):02/04/2025
                        Path:/tmp/Space.arm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):07:53:31
                        Start date (UTC):02/04/2025
                        Path:/tmp/Space.arm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):07:53:31
                        Start date (UTC):02/04/2025
                        Path:/tmp/Space.arm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):07:53:37
                        Start date (UTC):02/04/2025
                        Path:/tmp/Space.arm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):07:53:37
                        Start date (UTC):02/04/2025
                        Path:/tmp/Space.arm.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1