Edit tour

Linux Analysis Report
Space.mips.elf

Overview

General Information

Sample name:	Space.mips.elf
Analysis ID:	1665359
MD5:	2499cd03d508e4a3a4bdb4ac5b50459c
SHA1:	0690c9bed1bb4f6d747eb168ae3b0fda4fd050cd
SHA256:	bc71fbfbd8415a8d978ac8d4057121bc1fa82d1ccd184371e59c0f9c79de34ba
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	60
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1665359
Start date and time:	2025-04-15 14:02:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	Space.mips.elf
Detection:	MAL
Classification:	mal60.evad.linELF@0/0@0/0

Runtime Messages

Command:	/tmp/Space.mips.elf
PID:	5491
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

system is lnxubuntu20

Space.mips.elf (PID: 5491, Parent: 5412, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/Space.mips.elf

Space.mips.elf New Fork (PID: 5493, Parent: 5491)

Space.mips.elf New Fork (PID: 5495, Parent: 5493)

Space.mips.elf New Fork (PID: 5497, Parent: 5493)

Space.mips.elf New Fork (PID: 5505, Parent: 5491)

Space.mips.elf New Fork (PID: 5506, Parent: 5491)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
5505.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x28f4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29000:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29014:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29028:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2903c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5493.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x28f4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29000:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29014:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29028:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2903c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5491.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x28f4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29000:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29014:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29028:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2903c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5495.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x28f4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28f9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x28fec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29000:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29014:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29028:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2903c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x29078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x2908c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x290dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5491	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xfec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1000:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1014:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1028:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x103c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1050:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1064:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1078:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x108c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5493	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x18cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x190b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x191f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1933:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1947:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x195b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x196f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1983:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1997:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19ab:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19bf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19d3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19e7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x19fb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a0f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a23:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a37:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a4b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1a5f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5495	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1735:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1749:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x175d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1771:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1785:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1799:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x17fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1811:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1825:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1839:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x184d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1861:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1875:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1889:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x189d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x18c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.mips.elf PID: 5505	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x49b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4af:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4c3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4d7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4eb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4ff:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x513:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x527:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x53b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x54f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x563:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x577:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x58b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x59f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5b3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5c7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5db:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x5ef:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x603:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x617:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x62b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Space.mips.elf	Virustotal: Detection: 46%			Perma Link
Source: Space.mips.elf	ReversingLabs: Detection: 44%

Source: global traffic

TCP traffic: 192.168.2.14:42020 -> 107.173.143.15:3778

Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.143.15

Source: Space.mips.elf

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5505.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5493.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5491.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5495.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5491, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5493, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5495, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.mips.elf PID: 5505, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: LOAD without section mappings

Program segment: 0x100000

Source: 5505.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5493.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5491.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5495.1.00007ff3e8400000.00007ff3e842c000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5491, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5493, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5495, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.mips.elf PID: 5505, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1583/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/2672/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1577/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/10/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/917/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/11/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/12/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/13/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/14/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/15/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/16/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3770/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/17/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/18/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/19/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1593/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/240/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/120/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3094/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/121/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/242/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3406/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/122/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/243/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/2/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/123/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/244/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1589/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/124/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/245/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1588/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/125/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/4/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/246/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3402/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/126/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/5/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/247/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/127/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/6/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/248/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/128/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/7/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/249/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/8/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/129/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/800/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/9/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/801/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/803/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3767/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/20/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/806/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3768/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/21/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/807/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/928/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3769/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/22/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/23/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/24/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/25/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/26/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/27/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/28/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/29/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3420/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/490/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/250/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/130/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/251/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/131/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/252/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/132/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/253/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/254/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/255/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/135/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/256/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1599/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/257/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/378/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/258/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/3412/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/259/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/30/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/35/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/1371/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/260/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/261/status	Jump to behavior
Source: /tmp/Space.mips.elf (PID: 5491)	File opened: /proc/262/status	Jump to behavior

Source: Space.mips.elf

Submission file: segment LOAD with 7.9461 entropy (max. 8.0)

Source: /tmp/Space.mips.elf (PID: 5491)

Queries kernel information via 'uname':

Jump to behavior

Source: Space.mips.elf, 5491.1.000056279441e000.00005627944c6000.rw-.sdmp, Space.mips.elf, 5493.1.000056279441e000.00005627944c6000.rw-.sdmp, Space.mips.elf, 5495.1.000056279441e000.00005627944c6000.rw-.sdmp, Space.mips.elf, 5505.1.000056279441e000.00005627944c6000.rw-.sdmp	Binary or memory string: 'V!/etc/qemu-binfmt/mips
Source: Space.mips.elf, 5491.1.000056279441e000.00005627944c6000.rw-.sdmp, Space.mips.elf, 5493.1.000056279441e000.00005627944c6000.rw-.sdmp, Space.mips.elf, 5495.1.000056279441e000.00005627944c6000.rw-.sdmp, Space.mips.elf, 5505.1.000056279441e000.00005627944c6000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: Space.mips.elf, 5491.1.00007ffd48437000.00007ffd48458000.rw-.sdmp, Space.mips.elf, 5493.1.00007ffd48437000.00007ffd48458000.rw-.sdmp, Space.mips.elf, 5495.1.00007ffd48437000.00007ffd48458000.rw-.sdmp, Space.mips.elf, 5505.1.00007ffd48437000.00007ffd48458000.rw-.sdmp	Binary or memory string: 0x86_64/usr/bin/qemu-mips/tmp/Space.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.mips.elf
Source: Space.mips.elf, 5491.1.00007ffd48437000.00007ffd48458000.rw-.sdmp, Space.mips.elf, 5493.1.00007ffd48437000.00007ffd48458000.rw-.sdmp, Space.mips.elf, 5495.1.00007ffd48437000.00007ffd48458000.rw-.sdmp, Space.mips.elf, 5505.1.00007ffd48437000.00007ffd48458000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Space.mips.elf	46%	Virustotal		Browse
Space.mips.elf	44%	ReversingLabs	Linux.Trojan.Multiverze

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Space.mips.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.173.143.15	unknown	United States		36352	AS-COLOCROSSINGUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	ORDER-25013-67789543AX.vbs	Get hash	malicious	WSHRat, DarkTortilla	Browse	104.168.7.12
	ORDER-2504014-0054739AP.vbs	Get hash	malicious	WSHRat, DarkTortilla	Browse	172.245.208.13
	15042025Payment .xls	Get hash	malicious	Unknown	Browse	172.245.208.21
	15042025Payment .xls	Get hash	malicious	Unknown	Browse	172.245.208.21
	ORDER#250944.XLS.vbs	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	172.245.208.13
	15042025Payment .xls	Get hash	malicious	Unknown	Browse	172.245.208.21
	003.exe	Get hash	malicious	Unknown	Browse	104.168.28.10
	003.exe	Get hash	malicious	Unknown	Browse	104.168.28.10
	sdf.hta	Get hash	malicious	Cobalt Strike	Browse	172.245.191.88
	GFL-001-2034-PO-BK - REV.docx.doc	Get hash	malicious	Unknown	Browse	192.3.140.103

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.943938077705882
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Space.mips.elf
File size:	44'140 bytes
MD5:	2499cd03d508e4a3a4bdb4ac5b50459c
SHA1:	0690c9bed1bb4f6d747eb168ae3b0fda4fd050cd
SHA256:	bc71fbfbd8415a8d978ac8d4057121bc1fa82d1ccd184371e59c0f9c79de34ba
SHA512:	620b764aab382734bffe97d7de38d89b6c1b8641818237bbcb3cecb690747911a986e4bd221d5c844fafbf18e9a852e18aee2feb532b1ee5282efe2a96da1bb8
SSDEEP:	768:G7ph1LjFGpx652lJXasyEk6JGbr6MWiNIx8FJ8/0JgGlzDpbuR1JXA:GzA65yk6JGbrbNwQJ0sVJuu
TLSH:	9213E15E850088EEE8818D7147E45B616F710BB0F463E943E50DF887EA696FD3E235A8
File Content Preview:	.ELF...........................4.........4. ...(.......................<...<.................C...C......................UPX!.d.....................V.......?.E.h4...@b..) ..]....E..`..........@4#.Y..~.9....b...Q".\|.H.%Q.z....6u.."....cLw.........`.........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x1097f8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0xab3c	0xab3c	7.9461	0x5	R E	0x10000
LOAD	0xcffc	0x43cffc	0x43cffc	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2025 14:02:54.046727896 CEST	42020	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:02:54.180536985 CEST	3778	42020	107.173.143.15	192.168.2.14
Apr 15, 2025 14:02:55.196428061 CEST	42022	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:02:55.330122948 CEST	3778	42022	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:00.332828999 CEST	42024	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:00.353935957 CEST	42026	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:00.467902899 CEST	3778	42024	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:00.487389088 CEST	3778	42026	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:01.502811909 CEST	42028	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:01.636612892 CEST	3778	42028	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:05.484146118 CEST	42030	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:05.618191957 CEST	3778	42030	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:06.639322996 CEST	42032	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:06.773735046 CEST	3778	42032	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:09.620698929 CEST	42034	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:09.756036043 CEST	3778	42034	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:11.758923054 CEST	42036	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:11.775778055 CEST	42038	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:11.893126965 CEST	3778	42036	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:11.909324884 CEST	3778	42038	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:15.912311077 CEST	42040	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:16.046473026 CEST	3778	42040	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:18.049061060 CEST	42042	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:18.182702065 CEST	3778	42042	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:19.895143032 CEST	42044	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:20.028927088 CEST	3778	42044	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:23.031580925 CEST	42046	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:23.165885925 CEST	3778	42046	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:26.185062885 CEST	42048	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:26.319571972 CEST	3778	42048	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:29.322103977 CEST	42050	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:29.457051039 CEST	3778	42050	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:32.168575048 CEST	42052	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:32.303462029 CEST	3778	42052	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:37.305696011 CEST	42054	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:37.439392090 CEST	3778	42054	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:38.459305048 CEST	42056	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:38.593909979 CEST	3778	42056	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:43.441678047 CEST	42058	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:43.576142073 CEST	3778	42058	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:43.596473932 CEST	42060	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:43.730163097 CEST	3778	42060	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:45.578532934 CEST	42062	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:45.713408947 CEST	3778	42062	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:49.733208895 CEST	42064	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:49.866940975 CEST	3778	42064	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:51.870320082 CEST	42066	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:52.004658937 CEST	3778	42066	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:55.715883017 CEST	42068	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:55.849898100 CEST	3778	42068	107.173.143.15	192.168.2.14
Apr 15, 2025 14:03:57.852698088 CEST	42070	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:03:57.986658096 CEST	3778	42070	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:00.989583015 CEST	42072	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:01.123972893 CEST	3778	42072	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:02.008162975 CEST	42074	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:02.141731024 CEST	3778	42074	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:04.144553900 CEST	42076	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:04.278605938 CEST	3778	42076	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:07.281522989 CEST	42078	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:07.415832996 CEST	3778	42078	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:10.126806974 CEST	42080	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:10.260730028 CEST	3778	42080	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:13.263138056 CEST	42082	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:13.396840096 CEST	3778	42082	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:14.399266958 CEST	42084	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:14.533915997 CEST	3778	42084	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:16.418726921 CEST	42086	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:16.552604914 CEST	3778	42086	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:19.555053949 CEST	42088	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:19.689357042 CEST	3778	42088	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:20.691541910 CEST	42090	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:20.825171947 CEST	3778	42090	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:24.536211967 CEST	42092	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:24.670137882 CEST	3778	42092	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:29.672338963 CEST	42094	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:29.806755066 CEST	3778	42094	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:30.828262091 CEST	42096	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:30.961944103 CEST	3778	42096	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:33.808541059 CEST	42098	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:33.942095995 CEST	3778	42098	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:35.964490891 CEST	42100	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:36.102832079 CEST	3778	42100	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:39.944667101 CEST	42102	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:40.078341007 CEST	3778	42102	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:40.104870081 CEST	42104	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:40.239197969 CEST	3778	42104	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:46.241527081 CEST	42106	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:46.375519037 CEST	3778	42106	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:49.080734015 CEST	42108	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:49.214821100 CEST	3778	42108	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:53.216685057 CEST	42110	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:53.350476027 CEST	3778	42110	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:55.379198074 CEST	42112	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:55.512931108 CEST	3778	42112	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:57.352657080 CEST	42114	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:57.486162901 CEST	3778	42114	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:58.488401890 CEST	42116	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:58.622001886 CEST	3778	42116	107.173.143.15	192.168.2.14
Apr 15, 2025 14:04:59.515598059 CEST	42118	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:04:59.649439096 CEST	3778	42118	107.173.143.15	192.168.2.14
Apr 15, 2025 14:05:03.651910067 CEST	42120	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:05:03.785693884 CEST	3778	42120	107.173.143.15	192.168.2.14
Apr 15, 2025 14:05:04.789129019 CEST	42122	3778	192.168.2.14	107.173.143.15
Apr 15, 2025 14:05:04.922924995 CEST	3778	42122	107.173.143.15	192.168.2.14

System Behavior

Analysis Process: Space.mips.elf PID: 5491, Parent PID: 5412

General

Start time (UTC):	12:02:52
Start date (UTC):	15/04/2025
Path:	/tmp/Space.mips.elf
Arguments:	/tmp/Space.mips.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5493, Parent PID: 5491

General

Start time (UTC):	12:02:52
Start date (UTC):	15/04/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5495, Parent PID: 5493

General

Start time (UTC):	12:02:52
Start date (UTC):	15/04/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5497, Parent PID: 5493

General

Start time (UTC):	12:02:52
Start date (UTC):	15/04/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5505, Parent PID: 5491

General

Start time (UTC):	12:02:59
Start date (UTC):	15/04/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Chronological Activities

Analysis Process: Space.mips.elf PID: 5506, Parent PID: 5491

General

Start time (UTC):	12:02:59
Start date (UTC):	15/04/2025
Path:	/tmp/Space.mips.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Space.mips.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: Space.mips.elf PID: 5491, Parent PID: 5412

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5493, Parent PID: 5491

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5495, Parent PID: 5493

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5497, Parent PID: 5493

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5505, Parent PID: 5491

General

Chronological Activities

Analysis Process: Space.mips.elf PID: 5506, Parent PID: 5491

General

Chronological Activities

Linux Analysis Report
Space.mips.elf