Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
6ryuhM7ras.elf

Overview

General Information

Sample name:6ryuhM7ras.elf
renamed because original name is a hash value
Original sample name:9ff2daaf1375355d4829ad206ac92e2c.elf
Analysis ID:1532758
MD5:9ff2daaf1375355d4829ad206ac92e2c
SHA1:b7266d77daaaeef014e72d7312793939d07394c5
SHA256:241c94a3458c65a9bf658fa6ab5b21bb74547a1e01bff35bfe8311c85c5f3ce8
Tags:32elfmipsmirai
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532758
Start date and time:2024-10-13 21:50:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:6ryuhM7ras.elf
renamed because original name is a hash value
Original Sample Name:9ff2daaf1375355d4829ad206ac92e2c.elf
Detection:MAL
Classification:mal68.evad.linELF@0/0@0/0

Warnings

  • VT rate limit hit for: 6ryuhM7ras.elf

Runtime Messages

Command:/tmp/6ryuhM7ras.elf
PID:5490
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5490.1.00007f721c400000.00007f721c42a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5492.1.00007f721c400000.00007f721c42a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5494.1.00007f721c400000.00007f721c42a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5504.1.00007f721c400000.00007f721c42a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2739c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x273ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27400:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27414:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27428:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2743c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27450:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27464:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27478:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2748c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x274f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x27518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2752c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: 6ryuhM7ras.elf PID: 5490Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf85c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf870:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf884:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf898:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf8ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf8c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf8d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf8e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf8fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf910:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf924:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf938:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf94c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf960:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf974:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xf988:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 6ryuhM7ras.elfAvira: detected
Multi AV Scanner detection for submitted file
Source: 6ryuhM7ras.elfReversingLabs: Detection: 44%
Source: global trafficTCP traffic: 192.168.2.14:55968 -> 45.131.65.138:3778
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.131.65.138
Source: 6ryuhM7ras.elfString found in binary or memory: http://upx.sf.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 5490.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5492.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5494.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5504.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5490, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5492, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5494, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5504, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0x100000
Source: 5490.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5492.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5494.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5504.1.00007f721c400000.00007f721c42a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5490, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5492, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5494, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: 6ryuhM7ras.elf PID: 5504, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal68.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1583/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/2672/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/110/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/111/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/112/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/113/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/234/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1577/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/114/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/235/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/115/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/116/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/117/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/118/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/119/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/10/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/917/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/11/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/12/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/13/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/14/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/15/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/16/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/17/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/18/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/19/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1593/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/240/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/120/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3094/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/121/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/242/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3406/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/122/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/243/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/2/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/123/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/244/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1589/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/124/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/245/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1588/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/125/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/4/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/246/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3402/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/126/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/5/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/247/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/127/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/6/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/248/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/128/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/7/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/249/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/8/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/129/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/800/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/9/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/801/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/803/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/20/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/806/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/21/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/807/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/928/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/22/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/23/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/24/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/25/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/26/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/27/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/28/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/29/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3420/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/490/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/250/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/130/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/251/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/131/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/252/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/132/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/253/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/254/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/255/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/135/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/256/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1599/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/257/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/378/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/258/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3412/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/259/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/30/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/35/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3670/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3791/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3792/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3793/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/3794/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/1371/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/260/statusJump to behavior
Source: /tmp/6ryuhM7ras.elf (PID: 5490)File opened: /proc/261/statusJump to behavior
Source: 6ryuhM7ras.elfSubmission file: segment LOAD with 7.9458 entropy (max. 8.0)
Source: /tmp/6ryuhM7ras.elf (PID: 5490)Queries kernel information via 'uname': Jump to behavior
Source: 6ryuhM7ras.elf, 5490.1.00007fffd512c000.00007fffd514d000.rw-.sdmp, 6ryuhM7ras.elf, 5492.1.00007fffd512c000.00007fffd514d000.rw-.sdmp, 6ryuhM7ras.elf, 5494.1.00007fffd512c000.00007fffd514d000.rw-.sdmp, 6ryuhM7ras.elf, 5504.1.00007fffd512c000.00007fffd514d000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/6ryuhM7ras.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6ryuhM7ras.elf
Source: 6ryuhM7ras.elf, 5490.1.000056234092a000.00005623409d2000.rw-.sdmp, 6ryuhM7ras.elf, 5492.1.000056234092a000.00005623409d2000.rw-.sdmp, 6ryuhM7ras.elf, 5494.1.000056234092a000.00005623409d2000.rw-.sdmp, 6ryuhM7ras.elf, 5504.1.000056234092a000.00005623409d2000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: 6ryuhM7ras.elf, 5490.1.000056234092a000.00005623409d2000.rw-.sdmp, 6ryuhM7ras.elf, 5492.1.000056234092a000.00005623409d2000.rw-.sdmp, 6ryuhM7ras.elf, 5494.1.000056234092a000.00005623409d2000.rw-.sdmp, 6ryuhM7ras.elf, 5504.1.000056234092a000.00005623409d2000.rw-.sdmpBinary or memory string: @#V!/etc/qemu-binfmt/mipsel
Source: 6ryuhM7ras.elf, 5490.1.00007fffd512c000.00007fffd514d000.rw-.sdmp, 6ryuhM7ras.elf, 5492.1.00007fffd512c000.00007fffd514d000.rw-.sdmp, 6ryuhM7ras.elf, 5494.1.00007fffd512c000.00007fffd514d000.rw-.sdmp, 6ryuhM7ras.elf, 5504.1.00007fffd512c000.00007fffd514d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532758 Sample: 6ryuhM7ras.elf Startdate: 13/10/2024 Architecture: LINUX Score: 68 20 45.131.65.138, 3778, 55968, 55970 LOVESERVERSGB Germany 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Sample is packed with UPX 2->28 8 6ryuhM7ras.elf 2->8         started        signatures3 process4 process5 10 6ryuhM7ras.elf 8->10         started        12 6ryuhM7ras.elf 8->12         started        14 6ryuhM7ras.elf 8->14         started        process6 16 6ryuhM7ras.elf 10->16         started        18 6ryuhM7ras.elf 10->18         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6ryuhM7ras.elf45%ReversingLabsLinux.Trojan.Mirai
6ryuhM7ras.elf100%AviraEXP/ELF.Agent.M.28

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.net6ryuhM7ras.elftrue
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
45.131.65.138
unknownGermany
47987LOVESERVERSGBfalse

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
45.131.65.138LM762mO6Jt.elfGet hashmaliciousUnknownBrowse

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    LOVESERVERSGBLM762mO6Jt.elfGet hashmaliciousUnknownBrowse
    • 45.131.65.138
    M88FIQFvyo.elfGet hashmaliciousMiraiBrowse
    • 45.150.101.154
    i7b3uBlM8k.elfGet hashmaliciousMiraiBrowse
    • 45.150.101.181
    TV7RLVOmvl.elfGet hashmaliciousMiraiBrowse
    • 45.150.101.140
    dDPKtLvVp6.elfGet hashmaliciousMirai, MoobotBrowse
    • 85.9.214.159
    yCUczQYIGe.elfGet hashmaliciousMiraiBrowse
    • 45.150.101.148
    a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec.exeGet hashmaliciousRHADAMANTHYS, SmokeLoader, Stealc, VidarBrowse
    • 45.131.66.61
    50GoeHHxhs.exeGet hashmaliciousDarkTortilla, Phobos, RHADAMANTHYS, SmokeLoader, SystemBCBrowse
    • 45.131.66.222
    SyuiUx2mcV.exeGet hashmaliciousDarkTortilla, Phobos, RHADAMANTHYS, SmokeLoader, SystemBCBrowse
    • 45.131.66.222
    Z8B3qXUXHu.exeGet hashmaliciousDarkTortilla, Phobos, RHADAMANTHYS, SmokeLoader, SystemBCBrowse
    • 45.131.66.222

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
    Entropy (8bit):7.943145356995558
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:6ryuhM7ras.elf
    File size:44'352 bytes
    MD5:9ff2daaf1375355d4829ad206ac92e2c
    SHA1:b7266d77daaaeef014e72d7312793939d07394c5
    SHA256:241c94a3458c65a9bf658fa6ab5b21bb74547a1e01bff35bfe8311c85c5f3ce8
    SHA512:28e57b59ee60a8ef803c9e9219af70bde59a48bc92c73f55aa1b239e4e427bb1700b75d1820e524da4c5ec0259bba42dd2d32116693ad9609f00552702a3172a
    SSDEEP:768:UYQdzLFMbXkqyyxwmGFm3qsSPhkj96MiKrecs6cDtyO5XnQDWFS7C5W8:UHPmwqBOc31LNrecs6KtPXQDLe3
    TLSH:7F13E14DD6E1ED55C8CF5839A0CD23A65ED2718234270F9CA3946CCDA892C86BCCE4B5
    File Content Preview:.ELF........................4...........4. ...(...............................................C...C.....................UPX!d...................V..........?.E.h;....#......b.L#>g7.9f......1....F.....f.u.(L.X.Ak..8......~.Dl0..Wl../... ..il...%..........p?

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, little endian
    Version:1 (current)
    Machine:MIPS R3000
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x1098d8
    Flags:0x1007
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:2
    Section Header Offset:0
    Section Header Size:40
    Number of Section Headers:0
    Header String Table Index:0

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x1000000x1000000xac150xac157.94580x5R E0x10000
    LOAD0xaffc0x43affc0x43affc0x00x00.00000x6RW 0x10000

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 13, 2024 21:50:57.664504051 CEST559683778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:57.669806004 CEST37785596845.131.65.138192.168.2.14
    Oct 13, 2024 21:50:57.669869900 CEST559683778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:57.680316925 CEST559683778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:57.685254097 CEST37785596845.131.65.138192.168.2.14
    Oct 13, 2024 21:50:57.685297966 CEST559683778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:57.690258980 CEST37785596845.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.309375048 CEST37785596845.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.309442997 CEST559683778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.309778929 CEST559683778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.310244083 CEST559703778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.315105915 CEST37785597045.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.315160036 CEST559703778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.316189051 CEST559703778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.321022034 CEST37785597045.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.321069002 CEST559703778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.326001883 CEST37785597045.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.953001976 CEST37785597045.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.953372955 CEST559703778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.953372955 CEST559703778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.954369068 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.959367037 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.959559917 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.964380980 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.969258070 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:50:58.969422102 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:50:58.974312067 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:51:03.375488997 CEST559743778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:03.380706072 CEST37785597445.131.65.138192.168.2.14
    Oct 13, 2024 21:51:03.380772114 CEST559743778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:03.423095942 CEST559743778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:03.428179979 CEST37785597445.131.65.138192.168.2.14
    Oct 13, 2024 21:51:03.428231955 CEST559743778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:03.433146000 CEST37785597445.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.031532049 CEST37785597445.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.031685114 CEST559743778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.031946898 CEST559743778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.033127069 CEST559763778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.038142920 CEST37785597645.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.038223982 CEST559763778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.039503098 CEST559763778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.044627905 CEST37785597645.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.044739008 CEST559763778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.049567938 CEST37785597645.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.664555073 CEST37785597645.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.664758921 CEST559763778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.664848089 CEST559763778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.666013956 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.671411037 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.671474934 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.672854900 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.677946091 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:51:04.678060055 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:04.683572054 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:51:08.974236965 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:08.979254007 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:51:09.168041945 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:51:09.168154955 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:14.682904959 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:51:14.687865973 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:51:14.879337072 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:51:14.879940987 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:52:09.212199926 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:52:09.218120098 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:52:09.392323971 CEST37785597245.131.65.138192.168.2.14
    Oct 13, 2024 21:52:09.392949104 CEST559723778192.168.2.1445.131.65.138
    Oct 13, 2024 21:52:14.933727980 CEST559783778192.168.2.1445.131.65.138
    Oct 13, 2024 21:52:14.939440012 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:52:15.118011951 CEST37785597845.131.65.138192.168.2.14
    Oct 13, 2024 21:52:15.118367910 CEST559783778192.168.2.1445.131.65.138

    System Behavior

    General

    Start time (UTC):19:50:57
    Start date (UTC):13/10/2024
    Path:/tmp/6ryuhM7ras.elf
    Arguments:/tmp/6ryuhM7ras.elf
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities


    General

    Start time (UTC):19:50:57
    Start date (UTC):13/10/2024
    Path:/tmp/6ryuhM7ras.elf
    Arguments:-
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities


    General

    Start time (UTC):19:50:57
    Start date (UTC):13/10/2024
    Path:/tmp/6ryuhM7ras.elf
    Arguments:-
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities


    General

    Start time (UTC):19:50:57
    Start date (UTC):13/10/2024
    Path:/tmp/6ryuhM7ras.elf
    Arguments:-
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities


    General

    Start time (UTC):19:51:02
    Start date (UTC):13/10/2024
    Path:/tmp/6ryuhM7ras.elf
    Arguments:-
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities


    General

    Start time (UTC):19:51:02
    Start date (UTC):13/10/2024
    Path:/tmp/6ryuhM7ras.elf
    Arguments:-
    File size:5773336 bytes
    MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

    Chronological Activities