Edit tour

Linux Analysis Report
bejv86.elf

Overview

General Information

Sample name:bejv86.elf
Analysis ID:1654587
MD5:a3c93189f0863eeeea9d9765623a9b37
SHA1:afea5b5a4f5c8abc24748ea5e9f34192a600dcea
SHA256:5847f3656c7804b69ce3592d06bda554e5bf637176006181d35648344250c45a
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sends malformed DNS queries
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Reads system information from the proc file system
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654587
Start date and time:2025-04-02 12:36:59 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:bejv86.elf
Detection:MAL
Classification:mal64.troj.evad.linELF@0/6@13/0
Command:/tmp/bejv86.elf
PID:5439
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
kovey/cursinq was here, go away!
Standard Error:write failed: Invalid argument
  • system is lnxubuntu20
  • bejv86.elf (PID: 5439, Parent: 5360, MD5: a3c93189f0863eeeea9d9765623a9b37) Arguments: /tmp/bejv86.elf
  • systemd New Fork (PID: 5443, Parent: 1)
  • journalctl (PID: 5443, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --smart-relinquish-var
  • systemd New Fork (PID: 5458, Parent: 1)
  • systemd-journald (PID: 5458, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald
  • systemd New Fork (PID: 5473, Parent: 1)
  • journalctl (PID: 5473, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --flush
  • cleanup
SourceRuleDescriptionAuthorStrings
bejv86.elfLinux_Trojan_Mirai_b14f4c5dunknownunknown
  • 0x4ab0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
bejv86.elfLinux_Trojan_Mirai_5f7b67b8unknownunknown
  • 0xa703:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
bejv86.elfLinux_Trojan_Mirai_88de437funknownunknown
  • 0x8192:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
bejv86.elfLinux_Trojan_Mirai_ae9d0fa6unknownunknown
  • 0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
bejv86.elfLinux_Trojan_Mirai_389ee3e9unknownunknown
  • 0xdaab:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
Click to see the 2 entries
SourceRuleDescriptionAuthorStrings
5442.1.0000000008048000.000000000805f000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
  • 0x4ab0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5442.1.0000000008048000.000000000805f000.r-x.sdmpLinux_Trojan_Mirai_5f7b67b8unknownunknown
  • 0xa703:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5442.1.0000000008048000.000000000805f000.r-x.sdmpLinux_Trojan_Mirai_88de437funknownunknown
  • 0x8192:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5442.1.0000000008048000.000000000805f000.r-x.sdmpLinux_Trojan_Mirai_ae9d0fa6unknownunknown
  • 0x192:$a: 83 EC 04 8A 44 24 18 8B 5C 24 14 88 44 24 03 8A 44 24 10 25 FF 00
5442.1.0000000008048000.000000000805f000.r-x.sdmpLinux_Trojan_Mirai_389ee3e9unknownunknown
  • 0xdaab:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
Click to see the 9 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: bejv86.elfVirustotal: Detection: 27%Perma Link
Source: bejv86.elfReversingLabs: Detection: 44%
Source: bejv86.elfString: EOF/proc//fd/proc/%s/stat/proc/%s/cmdline/proc/proc/%d/exe/proc/%d/stat%d %s %c %d/proc/%d/maps/lib/systemd//usr/lib/systemd/system/system/bin//gm/bin//home/process//home/helper/home/davinci/z/bin//usr/libexec//usr/sbin//z/zbin//usr/bin/var/mnt/root/boot/home/dev/media/opt/../(deleted)x86armarm7mipsmpslsh4wgetcurlkillallpkillaptyumiftopdmesgps auxhtopchkrootkitrkhuntercrontabmpstatdpkgclamavfreshclampstreelsmodfilelddaideinitfindyarar2iSidat64peidfirejailauditdauditctltripwirezeeksnortaideclamscanaflreadelfizsnapstracelsofgdbltraceptracewiresharktsharktcpdumpnetstatnmaptracerouteradare2ipsstracepathfakenet-nguptimeiostatvmstatjournalctllogwatchcuckooncatchkconfigobjdumpbinwalkghidraimmunitydebuggerollydbgpe-beardisassemblertdsskillergmerthehivemispdxlclientcortexsplunkkalitailsaircrack-ngvolatilityflarevmremnuxpeStudioCFF Explorerx32dbgx64dbgJDbgCutterdierekalltsk_recoverautopsytruecryptvirtualboxpythonpython3grepstringsbash[killer/node] killed process: %s ;; pid: %d

Networking

barindex
Source: global trafficDNS traffic detected: malformed DNS query: raw.awaken-network.net. [malformed]
Source: global trafficTCP traffic: 192.168.2.13:54540 -> 141.98.10.142:7733
Source: /lib/systemd/systemd-journald (PID: 5458)Socket: unknown address familyJump to behavior
Source: global trafficDNS traffic detected: DNS query: raw.awaken-network.net
Source: global trafficDNS traffic detected: DNS query: raw.awaken-network.net. [malformed]
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

System Summary

barindex
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: /tmp/bejv86.elf (PID: 5441)SIGKILL sent: pid: 490, result: successfulJump to behavior
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: bejv86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5442.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5439.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: classification engineClassification label: mal64.troj.evad.linELF@0/6@13/0
Source: /lib/systemd/systemd-journald (PID: 5458)File: /run/systemd/journal/streams/.#9:63440MxzG8UJump to behavior
Source: /lib/systemd/systemd-journald (PID: 5458)File: /run/systemd/journal/streams/.#9:63441hb09ySJump to behavior
Source: /lib/systemd/systemd-journald (PID: 5458)File: /run/systemd/journal/streams/.#9:63447AbCqSTJump to behavior
Source: /lib/systemd/systemd-journald (PID: 5458)File: /run/systemd/journal/streams/.#9:63448VIKxzWJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/88/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/89/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/230/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/110/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/231/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/111/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/232/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/112/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/233/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/113/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/234/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/114/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/235/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/115/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/236/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/116/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/237/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/117/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/238/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/91/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/118/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/239/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/92/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/119/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/93/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/94/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/95/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/96/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/97/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/10/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/98/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/11/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/99/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/12/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/13/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/14/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/15/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/16/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/17/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/18/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/19/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/240/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/120/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/241/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/121/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/242/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/122/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/243/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/2/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/123/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/244/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/3/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/124/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/245/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/125/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/4/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/246/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/126/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/5/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/247/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/127/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/6/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/248/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/128/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/7/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/249/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/129/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/8/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/9/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/20/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/21/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/22/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/23/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/24/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/25/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/26/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/27/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/28/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/29/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/490/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/250/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/371/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/130/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/251/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/131/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/252/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/132/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/253/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/254/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/134/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/255/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/256/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/257/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/378/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/258/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/259/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/418/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/419/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/30/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/35/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/260/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/261/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/262/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/142/mapsJump to behavior
Source: /tmp/bejv86.elf (PID: 5441)File opened: /proc/263/mapsJump to behavior
Source: /lib/systemd/systemd-journald (PID: 5458)Reads from proc file: /proc/meminfoJump to behavior
Source: submitted sampleStderr: write failed: Invalid argument: exit code = 0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/bejv86.elf (PID: 5440)File: /tmp/bejv86.elfJump to behavior
Source: /lib/systemd/systemd-journald (PID: 5458)Queries kernel information via 'uname': Jump to behavior
Source: bejv86.elf, 5442.1.00000000093e0000.00000000093ec000.rw-.sdmpBinary or memory string: /var/lib/vmware
Source: bejv86.elf, 5442.1.00000000093df000.00000000093e0000.rw-.sdmpBinary or memory string: /tmp/vmware-root_727-4290690966
Source: bejv86.elf, 5442.1.00000000093df000.00000000093e0000.rw-.sdmpBinary or memory string: )/tmp/vmware-root_727-4290690966(
Source: bejv86.elf, 5442.1.00000000093e0000.00000000093ec000.rw-.sdmpBinary or memory string: /var/lib/vmware/VGAuth
Source: bejv86.elf, 5442.1.00000000093e0000.00000000093ec000.rw-.sdmpBinary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: bejv86.elf, 5442.1.00000000093e0000.00000000093ec000.rw-.sdmpBinary or memory string: )/var/lib/vmware/VGAuth/aliasStore
Source: bejv86.elf, 5442.1.00000000093e0000.00000000093ec000.rw-.sdmpBinary or memory string: !/var/lib/vmware/VGAuth )/var/lib/fwupd/remotes.d/lvfs!/var/lib/lightdm 9/var/lib/snapd/assertions/asserts-v0/snap-revision9/var/lib/snapd/assertions/asserts-v0/serial8y/var/lib/snapd/assertions/asserts-v0/snap-revision/NZlesuWu61egO2k1_7sKXfJPZXdKbX9RXhuvMMt9j7dd7uFXBQ5pUF9YHv-2UE2ey/var/lib/snapd/assertions/asserts-v0/snap-revision/REx4vEmMsvmBiSm-1L2ggAyXr5hCQIzvV_0xif2t15tB-QCP9VrN7BZjRkFiFLbvy/var/lib/snapd/assertions/asserts-v0/snap-revision/BXDSPW96Jb6F3_eZhL8AwtYPtRzHr2gzMVuiT12POZyrskVr-RiajUTs4gki1hLQ1/var/lib/snapd/assertions/asserts-v0/modely/var/lib/snapd/assertions/asserts-v0/snap-revision/hnvTLhkVJJTVgiIlyOAxoLS7W3M1lfN2cmBfkCc4lxwYkw5vz2TS4SThilA_tY68
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid AccountsWindows Management Instrumentation1
Scripting
Path Interception1
Hidden Files and Directories
1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File Deletion
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654587 Sample: bejv86.elf Startdate: 02/04/2025 Architecture: LINUX Score: 64 23 raw.awaken-network.net. [malformed] 2->23 25 raw.awaken-network.net 141.98.10.142, 2211, 51634, 51636 HOSTBALTICLT Lithuania 2->25 27 daisy.ubuntu.com 2->27 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 8 bejv86.elf 2->8         started        10 systemd journalctl 2->10         started        12 systemd systemd-journald 2->12         started        14 systemd journalctl 2->14         started        signatures3 35 Sends malformed DNS queries 23->35 process4 process5 16 bejv86.elf 8->16         started        signatures6 29 Sample deletes itself 16->29 19 bejv86.elf 16->19         started        21 bejv86.elf 16->21         started        process7
SourceDetectionScannerLabelLink
bejv86.elf28%VirustotalBrowse
bejv86.elf44%ReversingLabsLinux.Trojan.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.24
truefalse
    high
    raw.awaken-network.net
    141.98.10.142
    truefalse
      high
      raw.awaken-network.net. [malformed]
      unknown
      unknownfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        141.98.10.142
        raw.awaken-network.netLithuania
        209605HOSTBALTICLTfalse
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        141.98.10.142drea4.elfGet hashmaliciousUnknownBrowse
          rrrdsl.elfGet hashmaliciousUnknownBrowse
            rjfe686.elfGet hashmaliciousUnknownBrowse
              vejfa5.elfGet hashmaliciousUnknownBrowse
                efefa7.elfGet hashmaliciousMiraiBrowse
                  jfeeps.elfGet hashmaliciousUnknownBrowse
                    eehah4.elfGet hashmaliciousUnknownBrowse
                      weje64.elfGet hashmaliciousUnknownBrowse
                        efjepc.elfGet hashmaliciousUnknownBrowse
                          vjwe68k.elfGet hashmaliciousUnknownBrowse
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            daisy.ubuntu.comarm7.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.24
                            aarch64.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.24
                            arm6.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.24
                            arm5.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.24
                            efea6.elfGet hashmaliciousUnknownBrowse
                            • 162.213.35.25
                            xd.powerpc-440fp.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.24
                            xd.m68k.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.25
                            xd.ppc.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.25
                            xd.i686.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.24
                            xd.arm6.elfGet hashmaliciousMiraiBrowse
                            • 162.213.35.24
                            raw.awaken-network.netrrrdsl.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            jfeeps.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            weje64.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            efjepc.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            HOSTBALTICLTdrea4.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            rrrdsl.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            rjfe686.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            vejfa5.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            efefa7.elfGet hashmaliciousMiraiBrowse
                            • 141.98.10.142
                            jfeeps.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            eehah4.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            weje64.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            efjepc.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            vjwe68k.elfGet hashmaliciousUnknownBrowse
                            • 141.98.10.142
                            No context
                            No context
                            Process:/lib/systemd/systemd-journald
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):223
                            Entropy (8bit):5.549754747551262
                            Encrypted:false
                            SSDEEP:3:SbFVVmFyinKMsPOYsn9ms954Hh6SnLAqC+h6KV+h6CQzuxmyj6gB5m+eSdfAg2jq:SbFuFyLVIg1BG+f+Myj6gCOdEji4s
                            MD5:7EF10C7A93C5CC576A1333C2CB189472
                            SHA1:E1344BFED7833947A284F0FC7D3D639C45213CA0
                            SHA-256:31484AC0F37008884D40B4861C737FD0A0A741358F883CD23EC82C69BD593749
                            SHA-512:B2A7DA761597BE082F0B4C6CD591199D3AF3AF1DAEBD30438613BE89C5FC3CE4BDB94F6BFD053EE3E47DB87B85B7B1FB2B96592132AE52483AEA67C3A81933EE
                            Malicious:false
                            Reputation:low
                            Preview:# This is private data. Do not parse.PRIORITY=30.LEVEL_PREFIX=1.FORWARD_TO_SYSLOG=0.FORWARD_TO_KMSG=0.FORWARD_TO_CONSOLE=0.STREAM_ID=896ef1b76d5e4cb5bc3717f5a78112e9.IDENTIFIER=journalctl.UNIT=systemd-journal-flush.service.
                            Process:/lib/systemd/systemd-journald
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):228
                            Entropy (8bit):5.462307338676541
                            Encrypted:false
                            SSDEEP:6:SbFuFyLVIg1BG+f+MtT1GfxjdCt/rRMtq:qgFq6g10+f+MtTknCDL
                            MD5:E8DADCD41EF731B0FE3F7156FAB7435C
                            SHA1:B6B996FB16FEE2CCEF5C1BE5491277E9C1374906
                            SHA-256:8D761D2348B53164C1C2D0883EB11B4B35426AB7610B56F4A0E8B4898CFDA0C1
                            SHA-512:39FEBF5A672E31D19D6067B471725D063EC0FF38DBF897F04BDC4E8FE6FA2F478F3AC24713ED563C02ABAE4BCEF6F174B4F8A3F7BAB51F0FFE0CA1A69098FA70
                            Malicious:false
                            Reputation:low
                            Preview:# This is private data. Do not parse.PRIORITY=30.LEVEL_PREFIX=1.FORWARD_TO_SYSLOG=0.FORWARD_TO_KMSG=0.FORWARD_TO_CONSOLE=0.STREAM_ID=ae120a947d2345669fd0367ef189495c.IDENTIFIER=whoopsie-upload-all.UNIT=apport-autoreport.service.
                            Process:/lib/systemd/systemd-journald
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):208
                            Entropy (8bit):5.3498384993101284
                            Encrypted:false
                            SSDEEP:6:SbFuFyLVIg1BG+f+MuqD5UWWw3eDjdCLKzK:qgFq6g10+f+MPWw3ICLAK
                            MD5:42A7AD58B8BFA7A6FD66C70C3C08BF54
                            SHA1:526EA73A6188724476237AD03656BF7F46C2CAF9
                            SHA-256:E21A76C32F13EE97E03395B94E37B88E2A6C3B2A1740A8345EC8F792FECBC9CA
                            SHA-512:8E19A619744B29D8126F4C3AF623B06F6499347318EB8393C2BCA4D364BA7127357BC5FC10A48D349865361DA0B8CE89D104A1908397D7BA39D5B6BD97AE3E7E
                            Malicious:false
                            Reputation:low
                            Preview:# This is private data. Do not parse.PRIORITY=30.LEVEL_PREFIX=1.FORWARD_TO_SYSLOG=0.FORWARD_TO_KMSG=0.FORWARD_TO_CONSOLE=0.STREAM_ID=d080f1fe98504a3193345a39c71998cc.IDENTIFIER=whoopsie.UNIT=whoopsie.service.
                            Process:/lib/systemd/systemd-journald
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):223
                            Entropy (8bit):5.510059639884829
                            Encrypted:false
                            SSDEEP:3:SbFVVmFyinKMsPOYsn9ms954Hh6SnLAqC+h6KV+h6CQzuxm95yBaX3cRdhdDals+:SbFuFyLVIg1BG+f+Mfqpa2ji4s
                            MD5:2C5B257482AFD420F916343D2DE90D86
                            SHA1:899F8B62BD5005271B5B7DEE1386396DE824C004
                            SHA-256:788D620590CECF18CC3E9E6ABE60CC95868DAE43ABC90147252B12354A4FAC6F
                            SHA-512:4D6953954B4A83F0A7B22B1901D39912BDD8DE8C058E9E1A7F55B4C64F7F64841538D6574C0AED3F9C650E2D5AA887930411CC132A33FEB2D5C92B1A96D9265E
                            Malicious:false
                            Reputation:low
                            Preview:# This is private data. Do not parse.PRIORITY=30.LEVEL_PREFIX=1.FORWARD_TO_SYSLOG=0.FORWARD_TO_KMSG=0.FORWARD_TO_CONSOLE=0.STREAM_ID=70641d1f314f42a49a19487788def96a.IDENTIFIER=journalctl.UNIT=systemd-journal-flush.service.
                            Process:/lib/systemd/systemd-journald
                            File Type:data
                            Category:dropped
                            Size (bytes):240
                            Entropy (8bit):1.4595260194504922
                            Encrypted:false
                            SSDEEP:3:F31Hl6STKYh//gSTKY7:F3KSnXgS9
                            MD5:A5BDEC46D2E72D6B1E2DB6D046A5299A
                            SHA1:B981FB500ABDCAED4ABBDC5921A02DBF7A1C11E3
                            SHA-256:09C7DA9EF426B177E1DDF7F116437AA2A593B0A5E62885DDABA9E63644A96FE1
                            SHA-512:07855E5BE9450B0AE3B747920EFADB278272D0E73E5C9C81976EC71030ED49685B2FC3F60B1EAD327DD99ECD7E44FE8C9B211560AB800F322E305186E9A03245
                            Malicious:false
                            Reputation:low
                            Preview:LPKSHHRH...................^8@........I...................................^8@........I........................................................................................................................................................
                            Process:/lib/systemd/systemd-journald
                            File Type:data
                            Category:dropped
                            Size (bytes):240
                            Entropy (8bit):1.459526019450492
                            Encrypted:false
                            SSDEEP:3:F31HlH3nRPi/t/3nRPS/:F3npyxpi
                            MD5:B54A5D4E2CE4CEC9F77E7A268A35B67D
                            SHA1:02714C8FBA4219C172E83F31F0741269AE5AE556
                            SHA-256:9188129EEBBA163566E8EA0059601EDB7414BE150D447F52F835CF15B1B9CF4B
                            SHA-512:C03D37081563D4222FD75AECA8C2801C425BBA39A1E730300987F7E83056BE827874021A52586304E39C1916ABDF65A08CBB52DBAFB4A25298328875833EF026
                            Malicious:false
                            Reputation:low
                            Preview:LPKSHHRH.................w...3BG.t~.}h.s.................................w...3BG.t~.}h.s........................................................................................................................................................
                            File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                            Entropy (8bit):5.732217302825054
                            TrID:
                            • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                            • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                            File name:bejv86.elf
                            File size:110'572 bytes
                            MD5:a3c93189f0863eeeea9d9765623a9b37
                            SHA1:afea5b5a4f5c8abc24748ea5e9f34192a600dcea
                            SHA256:5847f3656c7804b69ce3592d06bda554e5bf637176006181d35648344250c45a
                            SHA512:49d929d73df967b9f6f787f5a2aebc1b9c8355950db098bf311a79be70560701cc5d78430e53b92208b32f7061cf4b03b147213b1a0f36e7455802f7ae3dad3a
                            SSDEEP:3072:tK5NX3/oZA5cXTsD1VC+gAFZtLOjS7ltB:05NXv4A5UTsDzSu7TB
                            TLSH:5DB36CC1AB43F4F5E96600B21033A7378B33F53A502ADA47C769BA36EC61910E71A35D
                            File Content Preview:.ELF....................d...4...\.......4. ...(......................d...d...............d..........pI..............Q.td............................U..S.......'t...h....3)..[]...$.............U......= >...t..5...................u........t....h............

                            ELF header

                            Class:ELF32
                            Data:2's complement, little endian
                            Version:1 (current)
                            Machine:Intel 80386
                            Version Number:0x1
                            Type:EXEC (Executable file)
                            OS/ABI:UNIX - System V
                            ABI Version:0
                            Entry Point Address:0x8048164
                            Flags:0x0
                            ELF Header Size:52
                            Program Header Offset:52
                            Program Header Size:32
                            Number of Program Headers:3
                            Section Header Offset:110172
                            Section Header Size:40
                            Number of Section Headers:10
                            Header String Table Index:9
                            NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                            NULL0x00x00x00x00x0000
                            .initPROGBITS0x80480940x940x1c0x00x6AX001
                            .textPROGBITS0x80480b00xb00x129560x00x6AX0016
                            .finiPROGBITS0x805aa060x12a060x170x00x6AX001
                            .rodataPROGBITS0x805aa200x12a200x3a880x00x2A0032
                            .ctorsPROGBITS0x805f4ac0x164ac0xc0x00x3WA004
                            .dtorsPROGBITS0x805f4b80x164b80x80x00x3WA004
                            .dataPROGBITS0x805f4e00x164e00x493c0x00x3WA0032
                            .bssNOBITS0x8063e200x1ae1c0xc94c0x00x3WA0032
                            .shstrtabSTRTAB0x00x1ae1c0x3e0x00x0001
                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                            LOAD0x00x80480000x80480000x164a80x164a86.42650x5R E0x1000.init .text .fini .rodata
                            LOAD0x164ac0x805f4ac0x805f4ac0x49700x112c00.60840x6RW 0x1000.ctors .dtors .data .bss
                            GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                            Download Network PCAP: filteredfull

                            • Total Packets: 43
                            • 7733 undefined
                            • 2211 undefined
                            • 53 (DNS)
                            TimestampSource PortDest PortSource IPDest IP
                            Apr 2, 2025 12:37:48.669476986 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:48.729600906 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:49.673671961 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:49.733802080 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:49.922189951 CEST221151634141.98.10.142192.168.2.13
                            Apr 2, 2025 12:37:49.922332048 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:49.922333002 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:50.110829115 CEST221151634141.98.10.142192.168.2.13
                            Apr 2, 2025 12:37:50.110886097 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:50.299905062 CEST221151634141.98.10.142192.168.2.13
                            Apr 2, 2025 12:37:51.685658932 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:37:55.845649004 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:04.037836075 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:05.304148912 CEST221151634141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:05.304375887 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:11.775242090 CEST221151634141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:11.775527000 CEST516342211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:11.975133896 CEST221151634141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:18.787234068 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:18.976167917 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:18.976510048 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:18.976510048 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:19.179567099 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:19.179821968 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:19.386930943 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:20.165793896 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:34.374171019 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:34.374635935 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:49.563302040 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:38:49.563448906 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:38:53.957725048 CEST545407733192.168.2.13141.98.10.142
                            Apr 2, 2025 12:39:04.794825077 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:39:04.794955015 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:39:09.018101931 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:39:09.243340015 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:39:19.028207064 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:39:19.216989040 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:39:34.242748976 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:39:34.242862940 CEST516362211192.168.2.13141.98.10.142
                            Apr 2, 2025 12:39:49.430918932 CEST221151636141.98.10.142192.168.2.13
                            Apr 2, 2025 12:39:49.431211948 CEST516362211192.168.2.13141.98.10.142
                            TimestampSource PortDest PortSource IPDest IP
                            Apr 2, 2025 12:37:48.175925970 CEST5465353192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:48.276020050 CEST53546538.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:48.276187897 CEST5523653192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:48.366250992 CEST53552368.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:48.366712093 CEST4482353192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:48.456259012 CEST53448238.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:48.456434965 CEST5387953192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:48.545794964 CEST53538798.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:48.547269106 CEST3809953192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:48.638163090 CEST53380998.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:48.638674974 CEST3628853192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:48.729491949 CEST53362888.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:55.896662951 CEST4670553192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:55.896708965 CEST5319953192.168.2.138.8.8.8
                            Apr 2, 2025 12:37:55.992362976 CEST53531998.8.8.8192.168.2.13
                            Apr 2, 2025 12:37:55.992410898 CEST53467058.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:12.777564049 CEST5041153192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:12.883769989 CEST53504118.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:12.884186029 CEST5309553192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.009258986 CEST53530958.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.009583950 CEST5044353192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.117841005 CEST53504438.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.119085073 CEST3585253192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.213845968 CEST53358528.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.214167118 CEST3369553192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.303991079 CEST53336958.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.304306030 CEST5511653192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.430243969 CEST53551168.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.430536032 CEST3866553192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.552665949 CEST53386658.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.553042889 CEST3846953192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:13.683419943 CEST53384698.8.8.8192.168.2.13
                            Apr 2, 2025 12:38:13.683707952 CEST5346853192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:18.685883999 CEST3646553192.168.2.138.8.8.8
                            Apr 2, 2025 12:38:18.786890984 CEST53364658.8.8.8192.168.2.13
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Apr 2, 2025 12:37:48.175925970 CEST192.168.2.138.8.8.80xf8cbStandard query (0)raw.awaken-network.netA (IP address)IN (0x0001)false
                            Apr 2, 2025 12:37:48.276187897 CEST192.168.2.138.8.8.80x3fdbStandard query (0)raw.awaken-network.net. [malformed]256380false
                            Apr 2, 2025 12:37:48.366712093 CEST192.168.2.138.8.8.80x3fdbStandard query (0)raw.awaken-network.net. [malformed]256380false
                            Apr 2, 2025 12:37:48.456434965 CEST192.168.2.138.8.8.80x3fdbStandard query (0)raw.awaken-network.net. [malformed]256380false
                            Apr 2, 2025 12:37:48.547269106 CEST192.168.2.138.8.8.80x3fdbStandard query (0)raw.awaken-network.net. [malformed]256380false
                            Apr 2, 2025 12:37:48.638674974 CEST192.168.2.138.8.8.80x3fdbStandard query (0)raw.awaken-network.net. [malformed]256380false
                            Apr 2, 2025 12:37:55.896662951 CEST192.168.2.138.8.8.80x9586Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                            Apr 2, 2025 12:37:55.896708965 CEST192.168.2.138.8.8.80x9970Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                            Apr 2, 2025 12:38:13.304306030 CEST192.168.2.138.8.8.80x662fStandard query (0)raw.awaken-network.net. [malformed]256405false
                            Apr 2, 2025 12:38:13.430536032 CEST192.168.2.138.8.8.80x662fStandard query (0)raw.awaken-network.net. [malformed]256405false
                            Apr 2, 2025 12:38:13.553042889 CEST192.168.2.138.8.8.80x662fStandard query (0)raw.awaken-network.net. [malformed]256405false
                            Apr 2, 2025 12:38:13.683707952 CEST192.168.2.138.8.8.80x662fStandard query (0)raw.awaken-network.net. [malformed]256410false
                            Apr 2, 2025 12:38:18.685883999 CEST192.168.2.138.8.8.80x662fStandard query (0)raw.awaken-network.net. [malformed]256410false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Apr 2, 2025 12:37:48.276020050 CEST8.8.8.8192.168.2.130xf8cbNo error (0)raw.awaken-network.net141.98.10.142A (IP address)IN (0x0001)false
                            Apr 2, 2025 12:37:55.992410898 CEST8.8.8.8192.168.2.130x9586No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false
                            Apr 2, 2025 12:37:55.992410898 CEST8.8.8.8192.168.2.130x9586No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false

                            System Behavior

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/tmp/bejv86.elf
                            Arguments:/tmp/bejv86.elf
                            File size:110572 bytes
                            MD5 hash:a3c93189f0863eeeea9d9765623a9b37

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/tmp/bejv86.elf
                            Arguments:-
                            File size:110572 bytes
                            MD5 hash:a3c93189f0863eeeea9d9765623a9b37

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/tmp/bejv86.elf
                            Arguments:-
                            File size:110572 bytes
                            MD5 hash:a3c93189f0863eeeea9d9765623a9b37

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/tmp/bejv86.elf
                            Arguments:-
                            File size:110572 bytes
                            MD5 hash:a3c93189f0863eeeea9d9765623a9b37

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/usr/lib/systemd/systemd
                            Arguments:-
                            File size:1620224 bytes
                            MD5 hash:9b2bec7092a40488108543f9334aab75

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/usr/bin/journalctl
                            Arguments:/usr/bin/journalctl --smart-relinquish-var
                            File size:80120 bytes
                            MD5 hash:bf3a987344f3bacafc44efd882abda8b

                            Start time (UTC):10:37:47
                            Start date (UTC):02/04/2025
                            Path:/usr/lib/systemd/systemd
                            Arguments:-
                            File size:1620224 bytes
                            MD5 hash:9b2bec7092a40488108543f9334aab75

                            Start time (UTC):10:37:55
                            Start date (UTC):02/04/2025
                            Path:/usr/lib/systemd/systemd
                            Arguments:-
                            File size:1620224 bytes
                            MD5 hash:9b2bec7092a40488108543f9334aab75

                            Start time (UTC):10:37:55
                            Start date (UTC):02/04/2025
                            Path:/usr/bin/journalctl
                            Arguments:/usr/bin/journalctl --flush
                            File size:80120 bytes
                            MD5 hash:bf3a987344f3bacafc44efd882abda8b