Edit tour

Linux Analysis Report
xd.mips.elf

Overview

General Information

Sample name:xd.mips.elf
Analysis ID:1669036
MD5:fc607672bc8bff804f44c2ec3afab7d8
SHA1:525b20152489b0f2492c3b78ce1ef8b0e3a44f05
SHA256:9a0e439001ac7a514be7182ec15f0defcd39c918629e006f5223cd407d5412fa
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669036
Start date and time:2025-04-19 05:44:26 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:xd.mips.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@0/0
Command:/tmp/xd.mips.elf
PID:6251
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
connecterror
Standard Error:
  • system is lnxubuntu20
  • xd.mips.elf (PID: 6251, Parent: 6176, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/xd.mips.elf
  • cleanup
SourceRuleDescriptionAuthorStrings
6251.1.00007f2dd0400000.00007f2dd040e000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xd0a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd0b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd0c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd0dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd0f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd104:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd118:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd12c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd140:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd154:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd168:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd17c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd190:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd1a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd1b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd1cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd1e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd1f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd208:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd21c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xd230:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: xd.mips.elf PID: 6251Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x4aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x4fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x50e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x522:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x536:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x54a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x55e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x572:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x586:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x59a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ae:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5c2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5d6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5ea:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x5fe:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x612:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x626:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x63a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: xd.mips.elfVirustotal: Detection: 34%Perma Link
Source: xd.mips.elfReversingLabs: Detection: 38%
Source: global trafficTCP traffic: 192.168.2.23:60832 -> 209.141.33.93:5538
Source: /tmp/xd.mips.elf (PID: 6251)Socket: 192.168.2.23:9473Jump to behavior
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: xd.mips.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: 6251.1.00007f2dd0400000.00007f2dd040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.mips.elf PID: 6251, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0x100000
Source: 6251.1.00007f2dd0400000.00007f2dd040e000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.mips.elf PID: 6251, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: xd.mips.elfSubmission file: segment LOAD with 7.8397 entropy (max. 8.0)
Source: /tmp/xd.mips.elf (PID: 6251)Queries kernel information via 'uname': Jump to behavior
Source: xd.mips.elf, 6251.1.00005559b2aec000.00005559b2b73000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
Source: xd.mips.elf, 6251.1.00007ffeac120000.00007ffeac141000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/xd.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/xd.mips.elf
Source: xd.mips.elf, 6251.1.00007ffeac120000.00007ffeac141000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
Source: xd.mips.elf, 6251.1.00005559b2aec000.00005559b2b73000.rw-.sdmpBinary or memory string: YU!/etc/qemu-binfmt/mips
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669036 Sample: xd.mips.elf Startdate: 19/04/2025 Architecture: LINUX Score: 60 11 209.141.33.93, 5538, 60832 PONYNETUS United States 2->11 13 109.202.202.202, 80 INIT7CH Switzerland 2->13 15 2 other IPs or domains 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Sample is packed with UPX 2->21 7 xd.mips.elf 2->7         started        signatures3 process4 process5 9 xd.mips.elf 7->9         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
xd.mips.elf35%VirustotalBrowse
xd.mips.elf39%ReversingLabsLinux.Worm.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netxd.mips.elffalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    209.141.33.93
    unknownUnited States
    53667PONYNETUSfalse
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    209.141.33.93xd.x86.elfGet hashmaliciousUnknownBrowse
      xd.arm7.elfGet hashmaliciousMiraiBrowse
        xd.x86_64.elfGet hashmaliciousUnknownBrowse
          xd.arm5.elfGet hashmaliciousUnknownBrowse
            xd.arm.elfGet hashmaliciousUnknownBrowse
              xd.sh4.elfGet hashmaliciousUnknownBrowse
                xd.m68k.elfGet hashmaliciousUnknownBrowse
                  xd.ppc.elfGet hashmaliciousUnknownBrowse
                    xd.arm.elfGet hashmaliciousUnknownBrowse
                      xd.spc.elfGet hashmaliciousUnknownBrowse
                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                        91.189.91.43i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              .i.elfGet hashmaliciousUnknownBrowse
                                na.elfGet hashmaliciousPrometeiBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    xd.arm6.elfGet hashmaliciousUnknownBrowse
                                      tftp.elfGet hashmaliciousUnknownBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            91.189.91.42i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  .i.elfGet hashmaliciousUnknownBrowse
                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        xd.arm6.elfGet hashmaliciousUnknownBrowse
                                                          tftp.elfGet hashmaliciousUnknownBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                No context
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CANONICAL-ASGBi686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                xd.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                tftp.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                python3.7.3.elfGet hashmaliciousUnknownBrowse
                                                                • 185.125.190.26
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                CANONICAL-ASGBi686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                xd.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                tftp.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                python3.7.3.elfGet hashmaliciousUnknownBrowse
                                                                • 185.125.190.26
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                PONYNETUSxd.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                • 209.141.33.93
                                                                xd.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm5.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                t.elfGet hashmaliciousUnknownBrowse
                                                                • 205.185.124.66
                                                                xd.sh4.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.m68k.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.ppc.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                INIT7CHi686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                .i.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                xd.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                tftp.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                No context
                                                                No context
                                                                No created / dropped files found
                                                                File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
                                                                Entropy (8bit):7.8346087714675665
                                                                TrID:
                                                                • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                File name:xd.mips.elf
                                                                File size:22'316 bytes
                                                                MD5:fc607672bc8bff804f44c2ec3afab7d8
                                                                SHA1:525b20152489b0f2492c3b78ce1ef8b0e3a44f05
                                                                SHA256:9a0e439001ac7a514be7182ec15f0defcd39c918629e006f5223cd407d5412fa
                                                                SHA512:658899ed7c5378f9530060362e91724808ee9217571e56983d66d6790e1d109b789ee49f9a933b3f51acf49cc87442d165390804e21cd15a7778c2ed3ad92027
                                                                SSDEEP:384:NPgkCpaPZBND5oDWsU/rkhF0x4Cgv7ZGoPuYxFj6PDcE1gnaqTJgGlzDpH7uNj1k:7/PZB/UWsU/rkhu4TjMoPfFj6rx1gnPR
                                                                TLSH:92A2CF780A0645FAC5E681B583E61B122D610FC76613DD0F78B5CAC7BB671E438878E0
                                                                File Content Preview:.ELF......................B....4.........4. ...(......................U...U...............)p.E)p.E)p.................J..UPX!.d......... ... .......U.......?.E.h4...@b..) ..]....D.......B.....:J..v.5.......Y......c.\..,R,.6Er...../.............?...........

                                                                ELF header

                                                                Class:ELF32
                                                                Data:2's complement, big endian
                                                                Version:1 (current)
                                                                Machine:MIPS R3000
                                                                Version Number:0x1
                                                                Type:EXEC (Executable file)
                                                                OS/ABI:UNIX - System V
                                                                ABI Version:0
                                                                Entry Point Address:0x1042b8
                                                                Flags:0x1007
                                                                ELF Header Size:52
                                                                Program Header Offset:52
                                                                Program Header Size:32
                                                                Number of Program Headers:2
                                                                Section Header Offset:0
                                                                Section Header Size:40
                                                                Number of Section Headers:0
                                                                Header String Table Index:0
                                                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                LOAD0x00x1000000x1000000x55fc0x55fc7.83970x5R E0x10000
                                                                LOAD0x29700x4529700x4529700x00x00.00000x6RW 0x10000

                                                                Download Network PCAP: filteredfull

                                                                • Total Packets: 22
                                                                • 5538 undefined
                                                                • 443 (HTTPS)
                                                                • 80 (HTTP)
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 19, 2025 05:45:17.121948957 CEST43928443192.168.2.2391.189.91.42
                                                                Apr 19, 2025 05:45:22.497153997 CEST42836443192.168.2.2391.189.91.43
                                                                Apr 19, 2025 05:45:23.258495092 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:23.401767015 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:45:23.401897907 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:23.403480053 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:23.546564102 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:45:23.546742916 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:23.689903975 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:45:24.032979012 CEST4251680192.168.2.23109.202.202.202
                                                                Apr 19, 2025 05:45:33.412609100 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:33.555705070 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:45:33.555843115 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:45:33.556015968 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:38.111080885 CEST43928443192.168.2.2391.189.91.42
                                                                Apr 19, 2025 05:45:48.349679947 CEST42836443192.168.2.2391.189.91.43
                                                                Apr 19, 2025 05:45:48.780316114 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:45:48.780503988 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:45:54.492733955 CEST4251680192.168.2.23109.202.202.202
                                                                Apr 19, 2025 05:46:03.924348116 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:46:03.924598932 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:46:19.065244913 CEST43928443192.168.2.2391.189.91.42
                                                                Apr 19, 2025 05:46:19.068216085 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:46:19.068315029 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:46:33.608865976 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:46:33.752191067 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:46:33.752300978 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:46:39.542375088 CEST42836443192.168.2.2391.189.91.43
                                                                Apr 19, 2025 05:46:48.940141916 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:46:48.940368891 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:47:04.084112883 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:47:04.084378004 CEST608325538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 05:47:19.228075027 CEST553860832209.141.33.93192.168.2.23
                                                                Apr 19, 2025 05:47:19.228423119 CEST608325538192.168.2.23209.141.33.93

                                                                System Behavior

                                                                Start time (UTC):03:45:17
                                                                Start date (UTC):19/04/2025
                                                                Path:/tmp/xd.mips.elf
                                                                Arguments:/tmp/xd.mips.elf
                                                                File size:5777432 bytes
                                                                MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                                                                Start time (UTC):03:45:22
                                                                Start date (UTC):19/04/2025
                                                                Path:/tmp/xd.mips.elf
                                                                Arguments:-
                                                                File size:5777432 bytes
                                                                MD5 hash:0083f1f0e77be34ad27f849842bbb00c