Edit tour

Linux Analysis Report
boatnet.x86.elf

Overview

General Information

Sample name:boatnet.x86.elf
Analysis ID:1668423
MD5:aaa5e87c5f5e9395bca4e07f0f52012f
SHA1:13ca37be531a174ba22df258d3b6d4ebd1b62cd2
SHA256:0f17756634ef88e01ae4d6bfcf23507415e402d47bcc63f33d23adef83a7f2a9
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai
Score:76
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1668423
Start date and time:2025-04-18 15:50:22 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:boatnet.x86.elf
Detection:MAL
Classification:mal76.troj.evad.linELF@0/0@0/0
Command:/tmp/boatnet.x86.elf
PID:5429
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"TSource Engin
Standard Error:
  • system is lnxubuntu20
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
SourceRuleDescriptionAuthorStrings
5429.1.0000000008048000.0000000008057000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
    5429.1.0000000008048000.0000000008057000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      5429.1.0000000008048000.0000000008057000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xc39c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc3b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc3c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc3d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc3ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc43c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc48c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc4a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc4b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc4c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc4dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc4f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xc52c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      5429.1.0000000008048000.0000000008057000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
      • 0x4a60:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
      5429.1.0000000008048000.0000000008057000.r-x.sdmpLinux_Trojan_Mirai_88de437funknownunknown
      • 0x5b72:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
      Click to see the 7 entries
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: boatnet.x86.elfVirustotal: Detection: 26%Perma Link
      Source: boatnet.x86.elfReversingLabs: Detection: 38%
      Source: global trafficTCP traffic: 192.168.2.13:49578 -> 176.65.144.253:12972
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.253
      Source: boatnet.x86.elfString found in binary or memory: http://upx.sf.net

      System Summary

      barindex
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 Author: unknown
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
      Source: Process Memory Space: boatnet.x86.elf PID: 5429, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
      Source: LOAD without section mappingsProgram segment: 0xc01000
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_ae9d0fa6 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = ca2bf2771844bec95563800d19a35dd230413f8eff0bd44c8ab0b4c596f81bfc, id = ae9d0fa6-be06-4656-9b13-8edfc0ee9e71, last_modified = 2021-09-16
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
      Source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
      Source: Process Memory Space: boatnet.x86.elf PID: 5429, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
      Source: classification engineClassification label: mal76.troj.evad.linELF@0/0@0/0

      Data Obfuscation

      barindex
      Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
      Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
      Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3640/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3640/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/230/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/230/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/110/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/110/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/231/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/231/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/111/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/111/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/232/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/232/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/112/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/112/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/233/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/233/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/113/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/113/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/234/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/234/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/114/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/114/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/235/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/235/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/115/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/115/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/236/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/236/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/116/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/116/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/237/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/237/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/117/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/117/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/238/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/238/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/118/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/118/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/239/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/239/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/119/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/119/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/914/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/914/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/10/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/10/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/917/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/917/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/11/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/11/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/5272/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/5272/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/12/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/12/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/13/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/13/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/14/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/14/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/15/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/15/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/16/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/16/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/17/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/17/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3771/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3771/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/18/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/18/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/19/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/19/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/240/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/240/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3095/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3095/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/120/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/120/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/241/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/241/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/121/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/121/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/242/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/242/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/122/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/122/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/243/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/243/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/2/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/2/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/123/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/123/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/244/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/244/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/3/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/124/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/124/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/245/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/245/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/1588/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/1588/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/125/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/125/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/4/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/4/mapsJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/246/commJump to behavior
      Source: /tmp/boatnet.x86.elf (PID: 5431)File opened: /proc/246/mapsJump to behavior
      Source: boatnet.x86.elfSubmission file: segment LOAD with 7.8787 entropy (max. 8.0)

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: boatnet.x86.elf PID: 5429, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 5429.1.0000000008048000.0000000008057000.r-x.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: boatnet.x86.elf PID: 5429, type: MEMORYSTR
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
      Obfuscated Files or Information
      1
      OS Credential Dumping
      System Service DiscoveryRemote ServicesData from Local System1
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      No configs have been found
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1668423 Sample: boatnet.x86.elf Startdate: 18/04/2025 Architecture: LINUX Score: 76 14 176.65.144.253, 12972, 49578 PALTEL-ASPALTELAutonomousSystemPS Germany 2->14 16 Malicious sample detected (through community Yara rule) 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Yara detected Mirai 2->20 22 Sample is packed with UPX 2->22 8 boatnet.x86.elf 2->8         started        signatures3 process4 process5 10 boatnet.x86.elf 8->10         started        process6 12 boatnet.x86.elf 10->12         started       
      SourceDetectionScannerLabelLink
      boatnet.x86.elf27%VirustotalBrowse
      boatnet.x86.elf39%ReversingLabsLinux.Worm.Mirai
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches

      Download Network PCAP: filteredfull

      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://upx.sf.netboatnet.x86.elffalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        176.65.144.253
        unknownGermany
        12975PALTEL-ASPALTELAutonomousSystemPSfalse
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        176.65.144.253boatnet.x86.elfGet hashmaliciousMiraiBrowse
          boatnet.x86.elfGet hashmaliciousMiraiBrowse
            boatnet.x86.elfGet hashmaliciousMiraiBrowse
              boatnet.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                boatnet.x86.elfGet hashmaliciousMiraiBrowse
                  boatnet.x86.elfGet hashmaliciousMiraiBrowse
                    boatnet.x86.elfGet hashmaliciousMiraiBrowse
                      boatnet.x86.elfGet hashmaliciousMiraiBrowse
                        boatnet.x86.elfGet hashmaliciousMiraiBrowse
                          boatnet.x86.elfGet hashmaliciousMiraiBrowse
                            No context
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            PALTEL-ASPALTELAutonomousSystemPSboatnet.m68k.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.arm.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.spc.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.mips.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.x86.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.x86.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            boatnet.spc.elfGet hashmaliciousMiraiBrowse
                            • 176.65.137.13
                            No context
                            No context
                            No created / dropped files found
                            File type:ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
                            Entropy (8bit):7.874204885029072
                            TrID:
                            • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                            • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                            File name:boatnet.x86.elf
                            File size:32'852 bytes
                            MD5:aaa5e87c5f5e9395bca4e07f0f52012f
                            SHA1:13ca37be531a174ba22df258d3b6d4ebd1b62cd2
                            SHA256:0f17756634ef88e01ae4d6bfcf23507415e402d47bcc63f33d23adef83a7f2a9
                            SHA512:42003f3d44285bc714d820ac5a85d088acf26f417db04b288a8920b7d9eab8c7bf926a3cb8ecb0814831973b2969449fb90d9d97ceb587bda530678eca4c8563
                            SSDEEP:768:/ymHKHkMheDk61bzrXEcJ+9A/60VdZ7Xqo4e0RVv8ta02NUXjML58bz:qmHk8r9GQ52DRUEr6jDv
                            TLSH:2DE2F1E1C327500FDA4E917C01355B843570A9C087D6ABB8FE2F724FBB6122E91D2239
                            File Content Preview:.ELF....................h...4...........4. ...(.....................K...K...........................................Q.td...............................4UPX!........4...4.......Z........?d..ELF.......d.......4....4. (.......k.-.#................p..d.*)d..l

                            ELF header

                            Class:ELF32
                            Data:2's complement, little endian
                            Version:1 (current)
                            Machine:Intel 80386
                            Version Number:0x1
                            Type:EXEC (Executable file)
                            OS/ABI:UNIX - Linux
                            ABI Version:0
                            Entry Point Address:0xc08768
                            Flags:0x0
                            ELF Header Size:52
                            Program Header Offset:52
                            Program Header Size:32
                            Number of Program Headers:3
                            Section Header Offset:0
                            Section Header Size:40
                            Number of Section Headers:0
                            Header String Table Index:0
                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                            LOAD0x00xc010000xc010000x7f4b0x7f4b7.87870x5R E0x1000
                            LOAD0x9800x80599800x80599800x00x00.00000x6RW 0x1000
                            GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                            Download Network PCAP: filteredfull

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 18, 2025 15:51:12.947974920 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:13.183329105 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:13.183471918 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:13.183559895 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:13.418596983 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:13.418678045 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:13.653747082 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:23.193612099 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:23.428828001 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:23.428853035 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:23.428925991 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:38.680600882 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:38.680869102 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:51:53.915776014 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:51:53.915961981 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:52:09.150630951 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:52:09.150746107 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:52:23.457287073 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:52:23.692754030 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:52:23.692837000 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:52:38.936685085 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:52:38.936832905 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:52:54.171674013 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:52:54.171773911 CEST4957812972192.168.2.13176.65.144.253
                            Apr 18, 2025 15:53:09.406651020 CEST1297249578176.65.144.253192.168.2.13
                            Apr 18, 2025 15:53:09.406841040 CEST4957812972192.168.2.13176.65.144.253

                            System Behavior

                            Start time (UTC):13:51:12
                            Start date (UTC):18/04/2025
                            Path:/tmp/boatnet.x86.elf
                            Arguments:/tmp/boatnet.x86.elf
                            File size:32852 bytes
                            MD5 hash:aaa5e87c5f5e9395bca4e07f0f52012f

                            Start time (UTC):13:51:12
                            Start date (UTC):18/04/2025
                            Path:/tmp/boatnet.x86.elf
                            Arguments:-
                            File size:32852 bytes
                            MD5 hash:aaa5e87c5f5e9395bca4e07f0f52012f

                            Start time (UTC):13:51:12
                            Start date (UTC):18/04/2025
                            Path:/tmp/boatnet.x86.elf
                            Arguments:-
                            File size:32852 bytes
                            MD5 hash:aaa5e87c5f5e9395bca4e07f0f52012f