Edit tour

Linux Analysis Report
xd.arm5.elf

Overview

General Information

Sample name:xd.arm5.elf
Analysis ID:1669052
MD5:ec75af6b9f768a58685cdafff206a001
SHA1:42ff8d0f77955cae73338c39222324980dfb8fbe
SHA256:abb4b994224dd1aa93ac7a7079b9d0eb6c54d431b6c91df70551035244b7cf14
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1669052
Start date and time:2025-04-19 06:53:37 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:xd.arm5.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@0/0
Command:/tmp/xd.arm5.elf
PID:6219
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
connecterror
Standard Error:
  • system is lnxubuntu20
  • xd.arm5.elf (PID: 6219, Parent: 6136, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/xd.arm5.elf
  • cleanup
SourceRuleDescriptionAuthorStrings
6219.1.00007f14b8017000.00007f14b8023000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0xac94:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xaca8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xacbc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xacd0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xace4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xacf8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad0c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad20:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad34:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xad98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xadac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xadc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xadd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xade8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xadfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xae10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0xae24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: xd.arm5.elf PID: 6219Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x2edc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2ef0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2f90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2fa4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2fb8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2fcc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2fe0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x2ff4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x3008:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x301c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x3030:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x3044:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x3058:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x306c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: xd.arm5.elfReversingLabs: Detection: 36%
Source: global trafficTCP traffic: 192.168.2.23:60828 -> 209.141.33.93:5538
Source: /tmp/xd.arm5.elf (PID: 6219)Socket: 192.168.2.23:9473Jump to behavior
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: unknownTCP traffic detected without corresponding DNS query: 209.141.33.93
Source: xd.arm5.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: 6219.1.00007f14b8017000.00007f14b8023000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: xd.arm5.elf PID: 6219, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0x8000
Source: 6219.1.00007f14b8017000.00007f14b8023000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: xd.arm5.elf PID: 6219, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: xd.arm5.elfSubmission file: segment LOAD with 7.9163 entropy (max. 8.0)
Source: /tmp/xd.arm5.elf (PID: 6219)Queries kernel information via 'uname': Jump to behavior
Source: xd.arm5.elf, 6219.1.0000563d190b6000.0000563d192a4000.rw-.sdmpBinary or memory string: =V!/etc/qemu-binfmt/arm
Source: xd.arm5.elf, 6219.1.0000563d190b6000.0000563d192a4000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: xd.arm5.elf, 6219.1.00007ffcde94a000.00007ffcde96b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: xd.arm5.elf, 6219.1.00007ffcde94a000.00007ffcde96b000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/xd.arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/xd.arm5.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1669052 Sample: xd.arm5.elf Startdate: 19/04/2025 Architecture: LINUX Score: 60 11 209.141.33.93, 5538, 60828 PONYNETUS United States 2->11 13 109.202.202.202, 80 INIT7CH Switzerland 2->13 15 2 other IPs or domains 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Sample is packed with UPX 2->21 7 xd.arm5.elf 2->7         started        signatures3 process4 process5 9 xd.arm5.elf 7->9         started       
SourceDetectionScannerLabelLink
xd.arm5.elf36%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netxd.arm5.elffalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    209.141.33.93
    unknownUnited States
    53667PONYNETUSfalse
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    209.141.33.93xd.mips.elfGet hashmaliciousUnknownBrowse
      xd.mpsl.elfGet hashmaliciousUnknownBrowse
        xd.x86.elfGet hashmaliciousUnknownBrowse
          xd.arm7.elfGet hashmaliciousMiraiBrowse
            xd.x86_64.elfGet hashmaliciousUnknownBrowse
              xd.arm5.elfGet hashmaliciousUnknownBrowse
                xd.arm.elfGet hashmaliciousUnknownBrowse
                  xd.sh4.elfGet hashmaliciousUnknownBrowse
                    xd.m68k.elfGet hashmaliciousUnknownBrowse
                      xd.ppc.elfGet hashmaliciousUnknownBrowse
                        109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
                        • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
                        91.189.91.43na.elfGet hashmaliciousPrometeiBrowse
                          na.elfGet hashmaliciousPrometeiBrowse
                            na.elfGet hashmaliciousPrometeiBrowse
                              na.elfGet hashmaliciousPrometeiBrowse
                                ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                  na.elfGet hashmaliciousPrometeiBrowse
                                    xd.mips.elfGet hashmaliciousUnknownBrowse
                                      i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            91.189.91.42na.elfGet hashmaliciousPrometeiBrowse
                                              na.elfGet hashmaliciousPrometeiBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  na.elfGet hashmaliciousPrometeiBrowse
                                                    ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                        xd.mips.elfGet hashmaliciousUnknownBrowse
                                                          i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                              na.elfGet hashmaliciousPrometeiBrowse
                                                                No context
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 185.125.190.26
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                xd.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                CANONICAL-ASGBna.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 185.125.190.26
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                xd.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 91.189.91.42
                                                                i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 91.189.91.42
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 91.189.91.42
                                                                PONYNETUSxd.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                • 209.141.33.93
                                                                xd.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm5.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.arm.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                t.elfGet hashmaliciousUnknownBrowse
                                                                • 205.185.124.66
                                                                xd.sh4.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                xd.m68k.elfGet hashmaliciousUnknownBrowse
                                                                • 209.141.33.93
                                                                INIT7CHna.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                xd.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 109.202.202.202
                                                                i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                na.elfGet hashmaliciousPrometeiBrowse
                                                                • 109.202.202.202
                                                                No context
                                                                No context
                                                                No created / dropped files found
                                                                File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header
                                                                Entropy (8bit):7.911869401627855
                                                                TrID:
                                                                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                                                                File name:xd.arm5.elf
                                                                File size:21'144 bytes
                                                                MD5:ec75af6b9f768a58685cdafff206a001
                                                                SHA1:42ff8d0f77955cae73338c39222324980dfb8fbe
                                                                SHA256:abb4b994224dd1aa93ac7a7079b9d0eb6c54d431b6c91df70551035244b7cf14
                                                                SHA512:5c6c0b26287ea399b58c10090decfbb33094363b9ed7411fa947be535192c5bd60fdf6f694090c3bf4c0d84b8e631539ad7da800d0908d4ea40eb10a9ec9bcc4
                                                                SSDEEP:384:wmpWUB+iqiGbiUq19U7AwVnod4cTK4KhJOV9vIzn15tzhymdGUop5hpJ:PpWUB+ipGbdq1O7AQsW4Ym9vIr15tzsT
                                                                TLSH:6592D07020619524F7306533F1BDC28977D31EB9E1E934730D6941A5A88B44653FEBAB
                                                                File Content Preview:.ELF...a..........(.........4...........4. ...(......................Q...Q..........................................Q.td..............................CvUPX!....................Q..........?.E.h;.}...^..........f.|..B=_>+rV...$...C...........g..D....VD..._.

                                                                ELF header

                                                                Class:ELF32
                                                                Data:2's complement, little endian
                                                                Version:1 (current)
                                                                Machine:ARM
                                                                Version Number:0x1
                                                                Type:EXEC (Executable file)
                                                                OS/ABI:ARM - ABI
                                                                ABI Version:0
                                                                Entry Point Address:0xc000
                                                                Flags:0x2
                                                                ELF Header Size:52
                                                                Program Header Offset:52
                                                                Program Header Size:32
                                                                Number of Program Headers:3
                                                                Section Header Offset:0
                                                                Section Header Size:40
                                                                Number of Section Headers:0
                                                                Header String Table Index:0
                                                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                LOAD0x00x80000x80000x51af0x51af7.91630x5R E0x8000
                                                                LOAD0x7fbc0x1ffbc0x1ffbc0x00x00.00000x6RW 0x8000
                                                                GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                                                                Download Network PCAP: filteredfull

                                                                • Total Packets: 21
                                                                • 5538 undefined
                                                                • 443 (HTTPS)
                                                                • 80 (HTTP)
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Apr 19, 2025 06:54:20.099082947 CEST43928443192.168.2.2391.189.91.42
                                                                Apr 19, 2025 06:54:23.305335045 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:23.449033022 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:54:23.449095964 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:23.450170994 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:23.593238115 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:54:23.593437910 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:23.736607075 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:54:25.730297089 CEST42836443192.168.2.2391.189.91.43
                                                                Apr 19, 2025 06:54:27.266082048 CEST4251680192.168.2.23109.202.202.202
                                                                Apr 19, 2025 06:54:33.459073067 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:33.602224112 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:54:33.602324963 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:54:33.602461100 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:40.576244116 CEST43928443192.168.2.2391.189.91.42
                                                                Apr 19, 2025 06:54:48.801964998 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:54:48.802284956 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:54:52.862637043 CEST42836443192.168.2.2391.189.91.43
                                                                Apr 19, 2025 06:54:56.958182096 CEST4251680192.168.2.23109.202.202.202
                                                                Apr 19, 2025 06:55:03.945991993 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:55:03.946126938 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:55:19.090238094 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:55:19.090595007 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:55:21.530718088 CEST43928443192.168.2.2391.189.91.42
                                                                Apr 19, 2025 06:55:33.638041973 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:55:33.781196117 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:55:33.781339884 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:55:48.962567091 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:55:48.963027954 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:56:04.107742071 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:56:04.107877970 CEST608285538192.168.2.23209.141.33.93
                                                                Apr 19, 2025 06:56:19.266768932 CEST553860828209.141.33.93192.168.2.23
                                                                Apr 19, 2025 06:56:19.266940117 CEST608285538192.168.2.23209.141.33.93

                                                                System Behavior

                                                                Start time (UTC):04:54:17
                                                                Start date (UTC):19/04/2025
                                                                Path:/tmp/xd.arm5.elf
                                                                Arguments:/tmp/xd.arm5.elf
                                                                File size:4956856 bytes
                                                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                                                                Start time (UTC):04:54:22
                                                                Start date (UTC):19/04/2025
                                                                Path:/tmp/xd.arm5.elf
                                                                Arguments:-
                                                                File size:4956856 bytes
                                                                MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1