Joe Sandbox Cloud Basic Analysis Report
Edit tour

Linux Analysis Report
Aqua.i686.elf

Overview

General Information

Sample name:Aqua.i686.elf
Analysis ID:1674919
MD5:cb0fa9441dd90b00eb705bc8ffffe94f
SHA1:f3c8b7631cdc25c36acd4c702232431d362a4fa0
SHA256:ff5af4f19474665b449a2766c3f0f6e7baca4487f0456b9bf3fc5aa6e2d723ee
Tags:elfuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1674919
Start date and time:2025-04-26 18:38:48 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Aqua.i686.elf
Detection:MAL
Classification:mal64.troj.evad.linELF@0/0@6/0

Runtime Messages

Command:/tmp/Aqua.i686.elf
PID:5643
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
about to cum inside a femboy btw
Standard Error:

Process Tree

  • system is lnxubuntu20
  • Aqua.i686.elf (PID: 5643, Parent: 5560, MD5: cb0fa9441dd90b00eb705bc8ffffe94f) Arguments: /tmp/Aqua.i686.elf
  • cleanup

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Aqua.i686.elfLinux_Trojan_Mirai_268aac0bunknownunknown
  • 0x4d3f:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
Aqua.i686.elfLinux_Trojan_Mirai_0cb1699cunknownunknown
  • 0x4cf2:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
Aqua.i686.elfLinux_Trojan_Mirai_70ef58f1unknownunknown
  • 0x628d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
  • 0x632d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
Aqua.i686.elfLinux_Trojan_Mirai_3a85a418unknownunknown
  • 0x47b7:$a: 01 D8 66 C1 C8 08 C1 C8 10 66 C1 C8 08 66 83 7C 24 2C FF 89
Aqua.i686.elfLinux_Trojan_Mirai_2e3f67a9unknownunknown
  • 0x522:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
  • 0x582:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
Click to see the 2 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
5643.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_268aac0bunknownunknown
  • 0x4d3f:$a: 24 18 0F B7 44 24 20 8B 54 24 1C 83 F9 01 8B 7E 0C 89 04 24 8B
5643.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_0cb1699cunknownunknown
  • 0x4cf2:$a: DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 10 0F B7 02 83 E9 02 83
5643.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_70ef58f1unknownunknown
  • 0x628d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
  • 0x632d:$a: 89 D0 8B 19 01 D8 0F B6 5C 24 10 30 18 89 D0 8B 19 01 D8 0F B6 5C
5643.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_3a85a418unknownunknown
  • 0x47b7:$a: 01 D8 66 C1 C8 08 C1 C8 10 66 C1 C8 08 66 83 7C 24 2C FF 89
5643.1.0000000008048000.0000000008054000.r-x.sdmpLinux_Trojan_Mirai_2e3f67a9unknownunknown
  • 0x522:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
  • 0x582:$a: 53 83 EC 04 0F B6 74 24 14 8B 5C 24 18 8B 7C 24 20 0F B6 44
Click to see the 2 entries

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Aqua.i686.elfVirustotal: Detection: 28%Perma Link
Source: Aqua.i686.elfReversingLabs: Detection: 25%

Networking

barindex
Source: global trafficDNS traffic detected: malformed DNS query: raw.intenseproxy.zip. [malformed]
Source: global trafficTCP traffic: 192.168.2.14:33676 -> 193.200.78.28:33966
Source: global trafficDNS traffic detected: DNS query: raw.intenseproxy.zip
Source: global trafficDNS traffic detected: DNS query: raw.intenseproxy.zip. [malformed]

System Summary

barindex
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5643.1.0000000008048000.0000000008054000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: classification engineClassification label: mal64.troj.evad.linELF@0/0@6/0

Hooking and other Techniques for Hiding and Protection

barindex
Source: /tmp/Aqua.i686.elf (PID: 5644)File: /tmp/Aqua.i686.elfJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1674919 Sample: Aqua.i686.elf Startdate: 26/04/2025 Architecture: LINUX Score: 64 12 raw.intenseproxy.zip. [malformed] 2->12 14 raw.intenseproxy.zip 193.200.78.28, 33676, 33966 LINK-SERVICE-ASUA Switzerland 2->14 16 Malicious sample detected (through community Yara rule) 2->16 18 Multi AV Scanner detection for submitted file 2->18 7 Aqua.i686.elf 2->7         started        signatures3 20 Sends malformed DNS queries 12->20 process4 process5 9 Aqua.i686.elf 7->9         started        signatures6 22 Sample deletes itself 9->22

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Aqua.i686.elf29%VirustotalBrowse
Aqua.i686.elf25%ReversingLabsLinux.Backdoor.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
raw.intenseproxy.zip
193.200.78.28
truefalse
    		high
    raw.intenseproxy.zip. [malformed]
    		unknown
    		unknownfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      193.200.78.28
      		raw.intenseproxy.zipSwitzerland
      		29496LINK-SERVICE-ASUAfalse

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      193.200.78.28Aqua.arm4.elfGet hashmaliciousAquabotBrowse
        Aqua.arm5.elfGet hashmaliciousAquabotBrowse
          Aqua.spc.elfGet hashmaliciousAquabotBrowse
            Aqua.i686.elfGet hashmaliciousAquabotBrowse
              Aqua.spc.elfGet hashmaliciousUnknownBrowse
                Aqua.x86_64.elfGet hashmaliciousAquabotBrowse
                  Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                    Aqua.dbg.elfGet hashmaliciousAquabotBrowse
                      Aqua.sh4.elfGet hashmaliciousAquabotBrowse
                        Aqua.m68k.elfGet hashmaliciousAquabotBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          raw.intenseproxy.zipAqua.spc.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.spc.elfGet hashmaliciousUnknownBrowse
                          • 193.200.78.28
                          Aqua.x86_64.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                          • 193.200.78.28
                          Aqua.dbg.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.m68k.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          LINK-SERVICE-ASUAAqua.arm4.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.arm5.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.spc.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.i686.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.spc.elfGet hashmaliciousUnknownBrowse
                          • 193.200.78.28
                          Aqua.x86_64.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.ppc.elfGet hashmaliciousUnknownBrowse
                          • 193.200.78.28
                          Aqua.dbg.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.sh4.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28
                          Aqua.m68k.elfGet hashmaliciousAquabotBrowse
                          • 193.200.78.28

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                          Entropy (8bit):6.290842986047838
                          TrID:
                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                          File name:Aqua.i686.elf
                          File size:50'352 bytes
                          MD5:cb0fa9441dd90b00eb705bc8ffffe94f
                          SHA1:f3c8b7631cdc25c36acd4c702232431d362a4fa0
                          SHA256:ff5af4f19474665b449a2766c3f0f6e7baca4487f0456b9bf3fc5aa6e2d723ee
                          SHA512:ce87bc06732fa22260c30e7b10643f10435e1c1a328d79eb2d3f5d76b45a3e57f41b6ff8d3ba78be04b59a1e58af936ad6b459e7b439091eda21b2f203bc69c3
                          SSDEEP:1536:j7WsI7YXIRWH+MK+77QdfzV6jZWlw4gtbnPwC7FQE6c6:j7W37Y4RAK+77Qdfzowa4gtLPbRH6n
                          TLSH:E6332AC1F54F84F9D95B49304063F33FCF32E5294175CAAEEF99AE36DA23541821A298
                          File Content Preview:.ELF....................h...4... .......4. ...(.....................<...<....................@...@.......(..........Q.td............................U..S.......w....h........[]...$.............U......=.B...t..1....$@.....$@......u........t...$<?..........B

                          Static ELF Info

                          ELF header

                          Class:ELF32
                          Data:2's complement, little endian
                          Version:1 (current)
                          Machine:Intel 80386
                          Version Number:0x1
                          Type:EXEC (Executable file)
                          OS/ABI:UNIX - System V
                          ABI Version:0
                          Entry Point Address:0x8048168
                          Flags:0x0
                          ELF Header Size:52
                          Program Header Offset:52
                          Program Header Size:32
                          Number of Program Headers:3
                          Section Header Offset:49952
                          Section Header Size:40
                          Number of Section Headers:10
                          Header String Table Index:9

                          Sections

                          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                          NULL0x00x00x00x00x0000
                          .initPROGBITS0x80480940x940x1c0x00x6AX001
                          .textPROGBITS0x80480b00xb00xaac10x00x6AX0016
                          .finiPROGBITS0x8052b710xab710x170x00x6AX001
                          .rodataPROGBITS0x8052ba00xaba00x139c0x00x2A0032
                          .ctorsPROGBITS0x80540000xc0000x80x00x3WA004
                          .dtorsPROGBITS0x80540080xc0080x80x00x3WA004
                          .dataPROGBITS0x80540200xc0200x2c00x00x3WA0032
                          .bssNOBITS0x80542e00xc2e00x25200x00x3WA0032
                          .shstrtabSTRTAB0x00xc2e00x3e0x00x0001

                          Program Segments

                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                          LOAD0x00x80480000x80480000xbf3c0xbf3c6.34030x5R E0x1000.init .text .fini .rodata
                          LOAD0xc0000x80540000x80540000x2e00x28003.94760x6RW 0x1000.ctors .dtors .data .bss
                          GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                          Network Behavior

                          Download Network PCAP: filteredfull

                          Network Port Distribution

                          • Total Packets: 20
                          • 33966 undefined
                          • 53 (DNS)
                          TimestampSource PortDest PortSource IPDest IP
                          Apr 26, 2025 18:39:47.440707922 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:39:47.713195086 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:39:47.713495016 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:39:47.713532925 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:39:47.988306046 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:39:47.988588095 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:39:48.263463020 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:03.265186071 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:03.265546083 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:40:18.540483952 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:18.540597916 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:40:33.818372965 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:33.818671942 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:40:49.092453957 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:49.092669010 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:40:57.732040882 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:40:58.005933046 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:58.005958080 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:40:58.006026983 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:41:08.008714914 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:41:08.282552958 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:41:08.282572985 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:41:08.282823086 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:41:23.682581902 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:41:23.682714939 CEST3367633966192.168.2.14193.200.78.28
                          Apr 26, 2025 18:41:38.956835032 CEST3396633676193.200.78.28192.168.2.14
                          Apr 26, 2025 18:41:38.957122087 CEST3367633966192.168.2.14193.200.78.28
                          TimestampSource PortDest PortSource IPDest IP
                          Apr 26, 2025 18:39:46.426996946 CEST4104153192.168.2.148.8.8.8
                          Apr 26, 2025 18:39:46.694253922 CEST53410418.8.8.8192.168.2.14
                          Apr 26, 2025 18:39:46.694591999 CEST5440053192.168.2.148.8.8.8
                          Apr 26, 2025 18:39:46.842266083 CEST53544008.8.8.8192.168.2.14
                          Apr 26, 2025 18:39:46.842530966 CEST6079253192.168.2.148.8.8.8
                          Apr 26, 2025 18:39:46.990896940 CEST53607928.8.8.8192.168.2.14
                          Apr 26, 2025 18:39:46.991272926 CEST4156653192.168.2.148.8.8.8
                          Apr 26, 2025 18:39:47.139744043 CEST53415668.8.8.8192.168.2.14
                          Apr 26, 2025 18:39:47.140151978 CEST3483353192.168.2.148.8.8.8
                          Apr 26, 2025 18:39:47.291727066 CEST53348338.8.8.8192.168.2.14
                          Apr 26, 2025 18:39:47.291893959 CEST5901453192.168.2.148.8.8.8
                          Apr 26, 2025 18:39:47.440370083 CEST53590148.8.8.8192.168.2.14

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Apr 26, 2025 18:39:46.426996946 CEST192.168.2.148.8.8.80xd5e8Standard query (0)raw.intenseproxy.zipA (IP address)IN (0x0001)false
                          Apr 26, 2025 18:39:46.694591999 CEST192.168.2.148.8.8.80xbf6eStandard query (0)raw.intenseproxy.zip. [malformed]256338false
                          Apr 26, 2025 18:39:46.842530966 CEST192.168.2.148.8.8.80xbf6eStandard query (0)raw.intenseproxy.zip. [malformed]256338false
                          Apr 26, 2025 18:39:46.991272926 CEST192.168.2.148.8.8.80xbf6eStandard query (0)raw.intenseproxy.zip. [malformed]256339false
                          Apr 26, 2025 18:39:47.140151978 CEST192.168.2.148.8.8.80xbf6eStandard query (0)raw.intenseproxy.zip. [malformed]256339false
                          Apr 26, 2025 18:39:47.291893959 CEST192.168.2.148.8.8.80xbf6eStandard query (0)raw.intenseproxy.zip. [malformed]256339false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Apr 26, 2025 18:39:46.694253922 CEST8.8.8.8192.168.2.140xd5e8No error (0)raw.intenseproxy.zip193.200.78.28A (IP address)IN (0x0001)false

                          System Behavior

                          General

                          Start time (UTC):16:39:45
                          Start date (UTC):26/04/2025
                          Path:/tmp/Aqua.i686.elf
                          Arguments:/tmp/Aqua.i686.elf
                          File size:50352 bytes
                          MD5 hash:cb0fa9441dd90b00eb705bc8ffffe94f

                          File Activities

                          Process Activities


                          General

                          Start time (UTC):16:39:45
                          Start date (UTC):26/04/2025
                          Path:/tmp/Aqua.i686.elf
                          Arguments:-
                          File size:50352 bytes
                          MD5 hash:cb0fa9441dd90b00eb705bc8ffffe94f

                          File Activities