Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
Space.arm6.elf

Overview

General Information

Sample name:Space.arm6.elf
Analysis ID:1665364
MD5:0f1bbf74ef43b2da343204026b6ad315
SHA1:4850b0be796f3a51360713a5ec98b395a9c47d2a
SHA256:e99fa4bfe123332cfa1a3094a6cec18c6a00e76121f71a0949d3e812bc4b9098
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1665364
Start date and time:2025-04-15 14:07:18 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Space.arm6.elf
Detection:MAL
Classification:mal60.evad.linELF@0/0@0/0

Runtime Messages

Command:/tmp/Space.arm6.elf
PID:5529
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
5529.1.00007f6244017000.00007f624402f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5534.1.00007f6244017000.00007f624402f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5542.1.00007f6244017000.00007f624402f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5532.1.00007f6244017000.00007f624402f000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x15320:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15334:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15348:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1535c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15370:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15384:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15398:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x153fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15410:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15424:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15438:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1544c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15460:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15474:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x15488:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1549c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x154b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: Space.arm6.elf PID: 5529Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x1183c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11850:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11864:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11878:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1188c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x118a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x118b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x118c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x118dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x118f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11904:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1192c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1197c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x119a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x119b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x119cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 3 entries

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Space.arm6.elfVirustotal: Detection: 45%Perma Link
Source: Space.arm6.elfReversingLabs: Detection: 50%
Source: global trafficTCP traffic: 192.168.2.15:58300 -> 107.173.143.15:3778
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: unknownTCP traffic detected without corresponding DNS query: 107.173.143.15
Source: Space.arm6.elfString found in binary or memory: http://upx.sf.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 5529.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5534.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5542.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5532.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5532, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5534, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Space.arm6.elf PID: 5542, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0x8000
Source: 5529.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5534.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5542.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5532.1.00007f6244017000.00007f624402f000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5529, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5532, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5534, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Space.arm6.elf PID: 5542, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal60.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Sample is packed with UPX
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/110/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/231/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/111/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/112/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/233/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/113/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/114/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/235/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/115/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1333/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/116/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1695/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/117/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/118/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/119/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/911/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/914/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3876/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/10/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/917/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/11/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/12/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/13/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/14/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/15/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/16/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/17/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/18/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/19/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1591/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/120/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/121/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/122/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/243/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/2/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/123/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/124/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1588/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/125/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/4/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/246/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/126/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/5/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/127/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/6/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1585/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/128/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/7/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/129/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/8/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/800/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/9/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/802/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/803/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/804/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/20/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/21/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3407/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/22/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/23/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/24/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/25/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/26/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/27/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/28/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/29/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1484/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/490/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/250/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/130/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/251/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/131/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/132/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/133/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1479/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/378/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/258/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/259/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/931/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1595/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/812/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/933/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/30/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3419/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/35/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3310/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/260/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/261/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/262/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/142/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/263/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/264/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/265/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/145/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/266/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/267/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/268/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3303/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/269/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1486/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/1806/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/3440/statusJump to behavior
Source: /tmp/Space.arm6.elf (PID: 5529)File opened: /proc/270/statusJump to behavior
Source: Space.arm6.elfSubmission file: segment LOAD with 7.9737 entropy (max. 8.0)
Source: /tmp/Space.arm6.elf (PID: 5529)Queries kernel information via 'uname': Jump to behavior
Source: Space.arm6.elf, 5529.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmp, Space.arm6.elf, 5532.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmp, Space.arm6.elf, 5534.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmp, Space.arm6.elf, 5542.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: Space.arm6.elf, 5529.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmp, Space.arm6.elf, 5532.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmp, Space.arm6.elf, 5534.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmp, Space.arm6.elf, 5542.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/Space.arm6.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Space.arm6.elf
Source: Space.arm6.elf, 5529.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmp, Space.arm6.elf, 5532.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmp, Space.arm6.elf, 5534.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmp, Space.arm6.elf, 5542.1.0000559dc96e5000.0000559dc98d3000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: Space.arm6.elf, 5529.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmp, Space.arm6.elf, 5532.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmp, Space.arm6.elf, 5534.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmp, Space.arm6.elf, 5542.1.00007ffcf73be000.00007ffcf73df000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information		1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665364 Sample: Space.arm6.elf Startdate: 15/04/2025 Architecture: LINUX Score: 60 20 107.173.143.15, 3778, 58300, 58302 AS-COLOCROSSINGUS United States 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Sample is packed with UPX 2->26 8 Space.arm6.elf 2->8         started        signatures3 process4 process5 10 Space.arm6.elf 8->10         started        12 Space.arm6.elf 8->12         started        14 Space.arm6.elf 8->14         started        process6 16 Space.arm6.elf 10->16         started        18 Space.arm6.elf 10->18         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Space.arm6.elf45%VirustotalBrowse
Space.arm6.elf50%ReversingLabsLinux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netSpace.arm6.elffalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    107.173.143.15
    		unknownUnited States
    		36352AS-COLOCROSSINGUSfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    107.173.143.15Space.sh4.elfGet hashmaliciousUnknownBrowse
      Space.x86.elfGet hashmaliciousUnknownBrowse
        Space.m68k.elfGet hashmaliciousMiraiBrowse
          Space.mips.elfGet hashmaliciousUnknownBrowse

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            AS-COLOCROSSINGUSSpace.sh4.elfGet hashmaliciousUnknownBrowse
            • 107.173.143.15
            Space.x86.elfGet hashmaliciousUnknownBrowse
            • 107.173.143.15
            Space.m68k.elfGet hashmaliciousMiraiBrowse
            • 107.173.143.15
            Space.mips.elfGet hashmaliciousUnknownBrowse
            • 107.173.143.15
            ORDER-25013-67789543AX.vbsGet hashmaliciousWSHRat, DarkTortillaBrowse
            • 104.168.7.12
            ORDER-2504014-0054739AP.vbsGet hashmaliciousWSHRat, DarkTortillaBrowse
            • 172.245.208.13
            15042025Payment .xlsGet hashmaliciousUnknownBrowse
            • 172.245.208.21
            15042025Payment .xlsGet hashmaliciousUnknownBrowse
            • 172.245.208.21
            ORDER#250944.XLS.vbsGet hashmaliciousCaesium Obfuscator, STRRATBrowse
            • 172.245.208.13
            15042025Payment .xlsGet hashmaliciousUnknownBrowse
            • 172.245.208.21

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
            Entropy (8bit):7.971922427628843
            TrID:
            • ELF Executable and Linkable format (generic) (4004/1) 100.00%
            File name:Space.arm6.elf
            File size:44'592 bytes
            MD5:0f1bbf74ef43b2da343204026b6ad315
            SHA1:4850b0be796f3a51360713a5ec98b395a9c47d2a
            SHA256:e99fa4bfe123332cfa1a3094a6cec18c6a00e76121f71a0949d3e812bc4b9098
            SHA512:74be45e78f374834c83c12431c44a0f1123e2309ee7d40fc5a1f36ea69021756e218133723cd28e5a572002c027a7e1b616347aaf156f8414c01a41b870fe7e2
            SSDEEP:768:3/ZyKJoofyfTtMLfclRAAO+jVbumZnLM3XgcTaWS5HOFz8Vg9OQM9q3UELL:hbjjOAgfnLGRMOSOzLL
            TLSH:4913F1B65E97DC3BC5A9B93D98A44AC70F1B34FDB4FCE042A02586791DF1009A7B1847
            File Content Preview:.ELF..............(.........4...........4. ...(.........................................H...H...H...................Q.td...............................OUPX!...................._..........?.E.h;....#..$.......L..T.|..r.F..ZS..n.8.I+.e......rQN..D....I.:#/.

            Static ELF Info

            ELF header

            Class:ELF32
            Data:2's complement, little endian
            Version:1 (current)
            Machine:ARM
            Version Number:0x1
            Type:EXEC (Executable file)
            OS/ABI:UNIX - Linux
            ABI Version:0
            Entry Point Address:0x11af8
            Flags:0x4000002
            ELF Header Size:52
            Program Header Offset:52
            Program Header Size:32
            Number of Program Headers:3
            Section Header Offset:0
            Section Header Size:40
            Number of Section Headers:0
            Header String Table Index:0

            Program Segments

            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
            LOAD0x00x80000x80000xace50xace57.97370x5R E0x8000
            LOAD0xb480x20b480x20b480x00x00.00000x6RW 0x8000
            GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Apr 15, 2025 14:08:05.945521116 CEST583003778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:06.079188108 CEST377858300107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:07.091286898 CEST583023778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:07.225352049 CEST377858302107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:12.280703068 CEST583043778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:12.414937019 CEST377858304107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:13.418808937 CEST583063778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:13.553046942 CEST377858306107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:14.227405071 CEST583083778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:14.361654043 CEST377858308107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:20.555783033 CEST583103778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:20.689591885 CEST377858310107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:23.365098953 CEST583123778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:23.499417067 CEST377858312107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:29.691972017 CEST583143778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:29.826524973 CEST377858314107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:32.503277063 CEST583163778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:32.637418985 CEST377858316107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:37.640266895 CEST583183778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:37.780673027 CEST377858318107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:38.829390049 CEST583203778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:38.967926979 CEST377858320107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:43.970808983 CEST583223778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:44.111143112 CEST377858322107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:45.783154964 CEST583243778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:45.924556971 CEST377858324107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:49.927115917 CEST583263778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:50.060605049 CEST377858326107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:52.113454103 CEST583283778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:52.247674942 CEST377858328107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:56.250118017 CEST583303778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:56.383645058 CEST377858330107.173.143.15192.168.2.15
            Apr 15, 2025 14:08:57.062695980 CEST583323778192.168.2.15107.173.143.15
            Apr 15, 2025 14:08:57.196423054 CEST377858332107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:02.198319912 CEST583343778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:02.332515001 CEST377858334107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:03.385720015 CEST583363778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:03.519231081 CEST377858336107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:05.335002899 CEST583383778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:05.468869925 CEST377858338107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:08.521279097 CEST583403778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:08.655270100 CEST377858340107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:11.657697916 CEST583423778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:11.791718006 CEST377858342107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:13.471282959 CEST583443778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:13.605030060 CEST377858344107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:18.608057022 CEST583463778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:18.741642952 CEST377858346107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:19.794848919 CEST583483778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:19.928992033 CEST377858348107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:21.744585991 CEST583503778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:21.878703117 CEST377858350107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:24.931979895 CEST583523778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:25.066555977 CEST377858352107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:27.882302046 CEST583543778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:28.016827106 CEST377858354107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:28.069214106 CEST583563778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:28.202965975 CEST377858356107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:32.019412041 CEST583583778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:32.153337002 CEST377858358107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:34.205682993 CEST583603778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:34.339498043 CEST377858360107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:36.155559063 CEST583623778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:36.291712046 CEST377858362107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:38.294475079 CEST583643778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:38.342952013 CEST583663778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:38.428719997 CEST377858364107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:38.476969957 CEST377858366107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:42.480345011 CEST583683778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:42.615302086 CEST377858368107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:44.432602882 CEST583703778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:44.566895008 CEST377858370107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:44.618416071 CEST583723778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:44.752449989 CEST377858372107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:45.570075989 CEST583743778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:45.704355955 CEST377858374107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:46.707285881 CEST583763778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:46.841038942 CEST377858376107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:50.755017042 CEST583783778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:50.889267921 CEST377858378107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:51.891571045 CEST583803778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:52.025368929 CEST377858380107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:53.028167009 CEST583823778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:53.162225962 CEST377858382107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:55.844225883 CEST583843778192.168.2.15107.173.143.15
            Apr 15, 2025 14:09:55.981106997 CEST377858384107.173.143.15192.168.2.15
            Apr 15, 2025 14:09:59.983594894 CEST583863778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:00.117252111 CEST377858386107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:01.119735956 CEST583883778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:01.253595114 CEST377858388107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:02.164661884 CEST583903778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:02.298878908 CEST377858390107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:05.255356073 CEST583923778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:05.389703035 CEST377858392107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:06.301198006 CEST583943778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:06.391468048 CEST583963778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:06.435317039 CEST377858394107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:06.525815964 CEST377858396107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:07.437489986 CEST583983778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:07.571249962 CEST377858398107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:11.573678970 CEST584003778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:11.707324982 CEST377858400107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:12.710141897 CEST584023778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:12.843841076 CEST377858402107.173.143.15192.168.2.15
            Apr 15, 2025 14:10:13.527503967 CEST584043778192.168.2.15107.173.143.15
            Apr 15, 2025 14:10:13.661390066 CEST377858404107.173.143.15192.168.2.15

            System Behavior

            General

            Start time (UTC):12:08:04
            Start date (UTC):15/04/2025
            Path:/tmp/Space.arm6.elf
            Arguments:/tmp/Space.arm6.elf
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            Chronological Activities


            General

            Start time (UTC):12:08:04
            Start date (UTC):15/04/2025
            Path:/tmp/Space.arm6.elf
            Arguments:-
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            Chronological Activities


            General

            Start time (UTC):12:08:04
            Start date (UTC):15/04/2025
            Path:/tmp/Space.arm6.elf
            Arguments:-
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            Chronological Activities


            General

            Start time (UTC):12:08:04
            Start date (UTC):15/04/2025
            Path:/tmp/Space.arm6.elf
            Arguments:-
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            Chronological Activities


            General

            Start time (UTC):12:08:10
            Start date (UTC):15/04/2025
            Path:/tmp/Space.arm6.elf
            Arguments:-
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            Chronological Activities


            General

            Start time (UTC):12:08:10
            Start date (UTC):15/04/2025
            Path:/tmp/Space.arm6.elf
            Arguments:-
            File size:4956856 bytes
            MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

            Chronological Activities