Edit tour

Linux Analysis Report
morte.arm7.elf

Overview

General Information

Sample name:	morte.arm7.elf
Analysis ID:	1729415
Has dependencies:	false
MD5:	0e9c8661a3a28d55c85d6f0be9e3fb3c
SHA1:	e8a7a2ab718cc6800439248dd3a1fcd61c2d6b07
SHA256:	9020dd20952d369c689cd9f496fea4942ac6042ece5568abc833495a93253d91
Tags:	elfupxuser-abuse_ch
Infos:

Detection

Mirai, Xmrig

Score:	100
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Xmrig cryptocurrency miner

Deletes system log files

Drops files in suspicious directories

Drops invisible ELF files

Found strings related to Crypto-Mining

Manipulation of devices in /dev

Sample deletes itself

Sample is packed with UPX

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1729415
Start date and time:	2025-07-06 08:08:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	morte.arm7.elf
Detection:	MAL
Classification:	mal100.troj.evad.mine.linELF@0/7@0/0

Warnings

Connection to analysis system has been lost, crash info: Unknown

Runtime Messages

Command:	/tmp/morte.arm7.elf
PID:	5572
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

morte.arm7.elf (PID: 5572, Parent: 5487, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/morte.arm7.elf

morte.arm7.elf New Fork (PID: 5574, Parent: 5572)

morte.arm7.elf New Fork (PID: 5576, Parent: 5574)

morte.arm7.elf New Fork (PID: 5582, Parent: 5576)

sh (PID: 5582, Parent: 5576, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cp /tmp/morte.arm7.elf /usr/bin/.sh"

sh New Fork (PID: 5587, Parent: 5582)

cp (PID: 5587, Parent: 5582, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /tmp/morte.arm7.elf /usr/bin/.sh

morte.arm7.elf New Fork (PID: 5588, Parent: 5576)

morte.arm7.elf New Fork (PID: 5590, Parent: 5588)

morte.arm7.elf New Fork (PID: 5592, Parent: 5588)

gvfsd-fuse New Fork (PID: 5598, Parent: 3147)

fusermount (PID: 5598, Parent: 3147, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs

Xorg New Fork (PID: 5604, Parent: 1371)

sh (PID: 5604, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5615, Parent: 5604)

xkbcomp (PID: 5615, Parent: 5604, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

Xorg New Fork (PID: 5619, Parent: 1371)

sh (PID: 5619, Parent: 1371, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""

sh New Fork (PID: 5620, Parent: 5619)

xkbcomp (PID: 5620, Parent: 5619, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/container-security-tnt-container-attack/ https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
5576.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5576.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5574.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5574.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5588.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5588.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5592.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5592.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
5572.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
5572.1.00007f3028017000.00007f3028034000.r-x.sdmp	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.arm7.elf PID: 5572	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.arm7.elf PID: 5572	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.arm7.elf PID: 5574	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.arm7.elf PID: 5574	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.arm7.elf PID: 5576	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.arm7.elf PID: 5576	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.arm7.elf PID: 5588	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.arm7.elf PID: 5588	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Process Memory Space: morte.arm7.elf PID: 5592	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: morte.arm7.elf PID: 5592	JoeSecurity_Mirai_3	Yara detected Mirai	Joe Security
Click to see the 15 entries

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: morte.arm7.elf	Virustotal: Detection: 25%			Perma Link
Source: morte.arm7.elf	ReversingLabs: Detection: 33%

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 5576.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5574.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5588.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5592.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5572.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5574, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5592, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: morte.arm7.elf, 5572.1.00007f3028017000.00007f3028034000.r-x.sdmp

String found in binary or memory: cryptonight

Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:1338	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:1111	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:1213	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:1234	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:333	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:666	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:777	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:9999	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:5656	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:8585	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:6363	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:6969	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:3779	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:3778	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:38273	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:10345	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:23455	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:1991	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:21769	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:42352	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:48101	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:39182	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:47767	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:6667	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:1337	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:4321	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:232	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	Socket: 0.0.0.0:24136	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:37510 -> 65.222.202.53:80

Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53
Source: unknown	TCP traffic detected without corresponding DNS query: 65.222.202.53

Source: morte.arm7.elf, .sh.18.dr

String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x8000

Source: /tmp/morte.arm7.elf (PID: 5588)	SIGKILL sent: pid: 1399, result: successful	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	SIGKILL sent: pid: 1399, result: no such process	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	SIGKILL sent: pid: 2991, result: successful	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5588)	SIGKILL sent: pid: 2991, result: no such process	Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.mine.linELF@0/7@0/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/morte.arm7.elf (PID: 5592)	Deleted: /dev/null			Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5592)	Deleted: /dev/kmsg			Jump to behavior

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5598)

File: /proc/5598/mounts

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/morte.arm7.elf (PID: 5576)

File: /etc/rc2.d/S99sysd -> /etc/init.d/sysd

Jump to behavior

Sample tries to set files in /etc globally writable

Source: /tmp/morte.arm7.elf (PID: 5576)

File: /etc/init.d/sysd (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /usr/bin/cp (PID: 5587)

File: /usr/bin/.sh

Jump to behavior

Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3760/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1583/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/2672/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3759/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1577/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3757/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3758/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1593/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3094/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3406/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1589/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3402/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/801/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/806/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/807/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/928/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/135/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1599/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/3412/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/1371/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/260/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/261/cmdline	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5576)	File opened: /proc/262/cmdline	Jump to behavior

Source: /tmp/morte.arm7.elf (PID: 5582)	Shell command executed: /bin/sh -c "cp /tmp/morte.arm7.elf /usr/bin/.sh"	Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5604)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 5619)	Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""	Jump to behavior

Source: /tmp/morte.arm7.elf (PID: 5576)

File: /etc/init.d/sysd (bits: - usr: rx grp: rx all: rwx)

Jump to behavior

Source: /usr/bin/cp (PID: 5587)

File written: /usr/bin/.sh

Jump to dropped file

Source: /tmp/morte.arm7.elf (PID: 5576)

Writes shell script file to disk with an unusual file extension: /etc/init.d/sysd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/morte.arm7.elf (PID: 5592)	Log files deleted: /var/log/kern.log	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5592)	Log files deleted: /var/log/Xorg.1.log	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5592)	Log files deleted: /var/log/auth.log	Jump to behavior
Source: /tmp/morte.arm7.elf (PID: 5592)	Log files deleted: /var/log/Xorg.0.log	Jump to behavior

Drops files in suspicious directories

Source: /tmp/morte.arm7.elf (PID: 5576)	File: /etc/init.d/sysd			Jump to dropped file
Source: /usr/bin/cp (PID: 5587)	File: /usr/bin/.sh			Jump to dropped file

Drops invisible ELF files

Source: /usr/bin/cp (PID: 5587)

ELF file: /usr/bin/.sh

Jump to dropped file

Sample deletes itself

Source: /tmp/morte.arm7.elf (PID: 5588)

File: /tmp/morte.arm7.elf

Jump to behavior

Source: morte.arm7.elf	Submission file: segment LOAD with 7.979 entropy (max. 8.0)
Source: .sh.18.dr	Dropped file: segment LOAD with 7.979 entropy (max. 8.0)

Source: /tmp/morte.arm7.elf (PID: 5572)

Queries kernel information via 'uname':

Jump to behavior

Source: morte.arm7.elf, 5592.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_726-2957583432
Source: morte.arm7.elf, 5588.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: vmware
Source: morte.arm7.elf, 5576.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5588.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5592.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp	Binary or memory string: V/tmp/qemu-open.umBfpN
Source: morte.arm7.elf, 5592.1.00007f302804a000.00007f3028058000.rw-.sdmp	Binary or memory string: )/var/lib/vmware/VGAuth/aliasStore
Source: morte.arm7.elf, 5588.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: vmware
Source: morte.arm7.elf, 5592.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: /var/lib/vmware
Source: morte.arm7.elf, 5592.1.00007f302803c000.00007f3028049000.rw-.sdmp	Binary or memory string: )/tmp/vmware-root_726-2957583432(
Source: morte.arm7.elf, 5592.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: !/var/lib/vmware
Source: morte.arm7.elf, 5592.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: !/var/lib/vmware/VGAuthh1/var/lib/vmware/VGAuth/aliasStore
Source: morte.arm7.elf, 5572.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5574.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5576.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5588.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5592.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: morte.arm7.elf, 5592.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth
Source: morte.arm7.elf, 5572.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5574.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5576.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5588.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp, morte.arm7.elf, 5592.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: morte.arm7.elf, 5572.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5574.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5576.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5588.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5592.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: morte.arm7.elf, 5592.1.00007f302804a000.00007f3028058000.rw-.sdmp	Binary or memory string: !/var/lib/os-prober )/var/lib/vmware/VGAuth/aliasStore
Source: morte.arm7.elf, 5592.1.00007f302804a000.00007f3028058000.rw-.sdmp	Binary or memory string: )/tmp/vmware-root_726-2957583432@
Source: morte.arm7.elf, 5592.1.00007f302804a000.00007f3028058000.rw-.sdmp	Binary or memory string: /var/lib/vmware)/var/lib/vmware/VGAuth(9/var/lib/snapd/assertions/asserts-v0/snap-revision9/var/lib/snapd/assertions/asserts-v0/account-keyy/var/lib/snapd/assertions/asserts-v0/snap-revision/hnvTLhkVJJTVgiIlyOAxoLS7W3M1lfN2cmBfkCc4lxwYkw5vz2TS4SThilA_tY68!/var/log/dist-upgrade
Source: morte.arm7.elf, 5592.1.00005602d4ab0000.00005602d4c1e000.rw-.sdmp	Binary or memory string: V!/proc/2/exe1/var/lib/snapd/apparmor/snap-confine!/proc/3/exe1/var/lib/snapd/environment/exe!/proc/4/exe1/var/lib/snapd/desktop/bash-completion!/proc/5/exe1/var/lib/snapd/desktop/applications!/proc/6/exe1/tmp/vmware-root_726-2957583432!/proc/250/exe
Source: morte.arm7.elf, 5576.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5588.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5592.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.umBfpN
Source: morte.arm7.elf, 5592.1.00005602d4c1e000.00005602d4c3e000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: morte.arm7.elf, 5572.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5574.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5576.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5588.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp, morte.arm7.elf, 5592.1.00007ffd221d7000.00007ffd221f8000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/morte.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/morte.arm7.elf
Source: morte.arm7.elf, 5592.1.00007f302804a000.00007f3028058000.rw-.sdmp	Binary or memory string: !/var/lib/vmware/VGAuthI/var/lib/systemd/deb-systemd-helper-enabled/rescue.target.wants

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5576.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5574.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5588.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5592.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5572.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5574, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5592, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5576.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5574.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5588.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5592.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5572.1.00007f3028017000.00007f3028034000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5574, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: morte.arm7.elf PID: 5592, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	1 Data Manipulation
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
morte.arm7.elf	25%	Virustotal		Browse
morte.arm7.elf	33%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/etc/init.d/sysd	0%	Virustotal		Browse
/usr/bin/.sh	33%	ReversingLabs	Linux.Backdoor.Mirai
/usr/bin/.sh	25%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	morte.arm7.elf, .sh.18.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.222.202.53	unknown	United States		394096	CAPEREGIONALHEALTHSYSTEMUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
65.222.202.53	morte.ppc.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.spc.elf	Get hash	malicious	Mirai, Xmrig	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CAPEREGIONALHEALTHSYSTEMUS	morte.ppc.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.mips.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53
	morte.spc.elf	Get hash	malicious	Mirai, Xmrig	Browse	65.222.202.53

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
/etc/init.d/sysd	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.ppc.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse
	debug.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm7.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.x86_64.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.arm.elf	Get hash	malicious	Mirai, Xmrig	Browse
	morte.sh4.elf	Get hash	malicious	Mirai, Xmrig	Browse

Created / dropped Files

/etc/init.d/sysd

Download File

Process:	/tmp/morte.arm7.elf
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.5892750707107135
Encrypted:	false
SSDEEP:	3:TKH4v09vzn:hw
MD5:	997CB34FF6E6CDED70B841C0D16C0938
SHA1:	CC85C16E2FB441D86AA668F376CA7FB4B181F1AB
SHA-256:	BA1D50D125344F273C249426CCD744D5A12E560ACE41CCA4BC55BD2D4A718D8F
SHA-512:	1E775CA8513F2841B6A8E369071B28C48489AB6462D06525F9B6B2BF97E9C043562BD7E0217307ED64A95217A76A94A08189616831C9D3127C6B91B7544570C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.ppc.elf, Detection: malicious, Browse Filename: morte.sh4.elf, Detection: malicious, Browse Filename: debug.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.arm7.elf, Detection: malicious, Browse Filename: morte.x86_64.elf, Detection: malicious, Browse Filename: morte.arm.elf, Detection: malicious, Browse Filename: morte.arm.elf, Detection: malicious, Browse Filename: morte.sh4.elf, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	#!/bin/sh./usr/bin/.sh &.

/tmp/qemu-open.umBfpN (deleted)

Download File

Process:	/tmp/morte.arm7.elf
File Type:	data
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.5841837197791886
Encrypted:	false
SSDEEP:	3:TgnRAiTG:TgnRAcG
MD5:	1D4597466DDBF682D38AFBB7B65D3B18
SHA1:	2599983BFE818CF189424DEDCF924F1F693F9D12
SHA-256:	50656C99A700312EDA073E6600C56264B0453EF23DFA2778E14FDA81CD16EA19
SHA-512:	1DA8280C401503D521852A2D9D2466F99D435DC8AE9DC19710A64ED19588EB55E2711AB41D8E878D04259574C525BD2F29AD4746BC6C6AE13836D1460E7FF859
Malicious:	false
Reputation:	low
Preview:	/tmp/morte.arm7.elf.

/tmp/server-0.xkm

Download File

Process:	/usr/bin/xkbcomp
File Type:	Compiled XKB Keymap: lsb, version 15
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	5.111453573529468
Encrypted:	false
SSDEEP:	96:5/DyE212zg/Jm3XEIr8llE4CwRvFhJvEXJRgsmEFaTa:tDyb2zOmnECQmww
MD5:	E25C5715C17078F7367E65D54CD5AE7F
SHA1:	D9E95B061E7C20FE56E2B2BC4A4FA904596E1BC1
SHA-256:	390E9784127FC99C105C6E04B41378F582238780716B04895D3216959701A7AF
SHA-512:	0FB4F11247D99B296E72DDB46D063B0DAABF8CEC75FF04364617362B3468CCC022B146E396EBAF494CC6A0E7F1FB011FCA9DBE52F83B29D1F6703C098298A54D
Malicious:	false
Reputation:	low
Preview:	.mkx..............D.......................h.......<.....P.@%.......&......D.......NumLock.....Alt.....LevelThree..LAlt....RAlt....RControl....LControl....ScrollLock..LevelFive...AltGr...Meta....Super...Hyper...........evdev+aliases(qwerty)...!.....ESC.AE01AE02AE03AE04AE05AE06AE07AE08AE09AE10AE11AE12BKSPTAB.AD01AD02AD03AD04AD05AD06AD07AD08AD09AD10AD11AD12RTRNLCTLAC01AC02AC03AC04AC05AC06AC07AC08AC09AC10AC11TLDELFSHBKSLAB01AB02AB03AB04AB05AB06AB07AB08AB09AB10RTSHKPMULALTSPCECAPSFK01FK02FK03FK04FK05FK06FK07FK08FK09FK10NMLKSCLKKP7.KP8.KP9.KPSUKP4.KP5.KP6.KPADKP1.KP2.KP3.KP0.KPDLLVL3....LSGTFK11FK12AB11KATAHIRAHENKHKTGMUHEJPCMKPENRCTLKPDVPRSCRALTLNFDHOMEUP..PGUPLEFTRGHTEND.DOWNPGDNINS.DELEI120MUTEVOL-VOL+POWRKPEQI126PAUSI128I129HNGLHJCVAE13LWINRWINCOMPSTOPAGAIPROPUNDOFRNTCOPYOPENPASTFINDCUT.HELPI147I148I149I150I151I152I153I154I155I156I157I158I159I160I161I162I163I164I165I166I167I168I169I170I171I172I173I174I175I176I177I178I179I180I181I182I183I184I185I186I187I188I189I190FK13FK14FK15FK16FK17FK18

/tmp/server-0.xkm (deleted)

Download File

Process:	/usr/bin/xkbcomp
File Type:	data
Category:	dropped
Size (bytes):	7964
Entropy (8bit):	4.445134545753843
Encrypted:	false
SSDEEP:	192:eVFfLaSLus4UVcqLkjoqdD//HJeCQ1+JdDx0s2T:8Ff+S6tUzmp7/1MJ
MD5:	F56EFBEDAF34ED68117AC764FE0F9883
SHA1:	922926245BECBB231692B58C71E63C91FD798E72
SHA-256:	F7B27416182331623CD2773CABCB8B25E91D31D4243F16AE09F9C9E63869DE55
SHA-512:	F364C5F688BEA7D07291813186311DCF65BC5C3F7600D286BF553E6955EE418A1D8884B5B71E550DFB282FA9B3BF71E3B0A009E1DD41C983612AB4D4676E1062
Malicious:	false
Reputation:	low
Preview:	..Shift Alt...Ctrl+Alt..................................".SEPARATE_CAPS_AND_SHIFT_ALPHABETIC..........................Base....Shift...AltGr Base..Shift AltGr.........................................FOUR_LEVEL_PLUS_LOCK....Base....Shift...Alt Base....Shift Alt...Lock....................................FOUR_LEVEL_KEYPAD...Base....Number..Alt Base....Alt Number......h...complete..{...................................................................................................................................................................................................................................................................................................~.......................................................................................................................................................................................................................................................................................................................................

/usr/bin/.sh

Download File

Process:	/usr/bin/cp
File Type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Category:	dropped
Size (bytes):	69300
Entropy (8bit):	7.986799652140704
Encrypted:	false
SSDEEP:	1536:8mULL2Tuj0OVfNmaUl/u+sCRzDsv3o5LNWQh+ecYY1h63Z:+LLBgOV1nkd5dDwSLAJAag3Z
MD5:	0E9C8661A3A28D55C85D6F0BE9E3FB3C
SHA1:	E8A7A2AB718CC6800439248DD3A1FCD61C2D6B07
SHA-256:	9020DD20952D369C689CD9F496FEA4942AC6042ECE5568ABC833495A93253D91
SHA-512:	10BE1ACBDE7C8C197B068F812BB00539FC7ABB9FA43E1D1051C8DAA9143E3CDB04AF518152EAADD772B56FA05E38A6AC816BFF1A63BB407839D73C72D7C46B54
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33% Antivirus: Virustotal, Detection: 25%, Browse
Reputation:	low
Preview:	.ELF..............(......3..4...........4. ...(.........................................(...(...(...................Q.td............................?..`UPX!........1...1.......m..........?.E.h;...#..$...o...d.\|....\o..`yI..?..P$f.1;T?J....\.....E<....1.....d..Z.?'...1..>..d......... ........P........m...t.O.&.e....A....G.$oP....Z..$..X..i........%.A%......B.....&........J..i....;....p.,.....v..Y...#........B..ly...<..N....(...,.I..F+x....oV.<.eY..7..+..rvc(.].T.......=.../.m.e..xZ.J;b..6..W......,............]doy.I.c...q........Q2~.h...}..;,.tT..,qUBs.`+..K.gf...H.@.@.>......J.P...2..c.fZ.`.....~6..<S.4[....7[./...}....C.Y{.Wu...$........)._....)FT.R..n.s[.Fa .u.s..P.O.A...o.waN...+....\|\ wlFv.k#..Q.....#.Lc.".t).c...........S=...(+...\...6i..&-....y...Gd.q.............0.K.88........r/....I5.M...D...2..).}Z......^..y~...u...e@....?...Q.v.Q...ac..2>.h.cd...w..)6...;V%...D[.M.... .{M>.[..&...k..L.?.E^.3.....M3.......3....i.......8.....M

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
Entropy (8bit):	7.986799652140704
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	morte.arm7.elf
File size:	69'300 bytes
MD5:	0e9c8661a3a28d55c85d6f0be9e3fb3c
SHA1:	e8a7a2ab718cc6800439248dd3a1fcd61c2d6b07
SHA256:	9020dd20952d369c689cd9f496fea4942ac6042ece5568abc833495a93253d91
SHA512:	10be1acbde7c8c197b068f812bb00539fc7abb9fa43e1d1051c8daa9143e3cdb04af518152eaadd772b56fa05e38a6ac816bff1a63bb407839d73c72d7c46b54
SSDEEP:	1536:8mULL2Tuj0OVfNmaUl/u+sCRzDsv3o5LNWQh+ecYY1h63Z:+LLBgOV1nkd5dDwSLAJAag3Z
TLSH:	E4630234EA1A35B2B850493D9D205B21AE657FFFE06E35E0303442BDAD87E26CE1D503
File Content Preview:	.ELF..............(......3..4...........4. ...(.........................................(...(...(...................Q.td............................?..`UPX!........1...1.......m..........?.E.h;....#..$...o....d.\|.....\o...`yI..?..P$f..1;T?J....\......E<..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x133d8
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0xc5c5	0xc5c5	7.9790	0x5	R E	0x8000
LOAD	0x528	0x38528	0x38528	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2025 08:09:29.566804886 CEST	37510	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:09:30.573822975 CEST	37510	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:09:32.589802980 CEST	37510	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:09:36.781672955 CEST	37510	80	192.168.2.14	65.222.202.53
Jul 6, 2025 08:09:41.784868002 CEST	37512	80	192.168.2.14	65.222.202.53

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2025 08:09:29.125473976 CEST	51435	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:29.211020947 CEST	53	51435	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:29.219064951 CEST	59928	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:29.304766893 CEST	53	59928	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:29.306346893 CEST	49941	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:29.391823053 CEST	53	49941	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:29.393618107 CEST	52720	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:29.479079962 CEST	53	52720	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:29.480463982 CEST	41090	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:29.565886974 CEST	53	41090	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:41.343792915 CEST	39835	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:41.429277897 CEST	53	39835	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:41.430270910 CEST	48259	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:41.516103983 CEST	53	48259	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:41.517116070 CEST	41518	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:41.603018045 CEST	53	41518	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:41.604106903 CEST	56668	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:41.689781904 CEST	53	56668	8.8.8.8	192.168.2.14
Jul 6, 2025 08:09:41.690764904 CEST	39735	53	192.168.2.14	8.8.8.8
Jul 6, 2025 08:09:41.777486086 CEST	53	39735	8.8.8.8	192.168.2.14

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 6, 2025 08:09:30.903182030 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable
Jul 6, 2025 08:10:50.914479017 CEST	192.168.2.14	192.168.2.1	827a	(Port unreachable)	Destination Unreachable

System Behavior

Analysis Process: morte.arm7.elf PID: 5572, Parent PID: 5487

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	/tmp/morte.arm7.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5574, Parent PID: 5572

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5576, Parent PID: 5574

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5582, Parent PID: 5576

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 5582, Parent PID: 5576

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	/bin/sh -c "cp /tmp/morte.arm7.elf /usr/bin/.sh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5587, Parent PID: 5582

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: cp PID: 5587, Parent PID: 5582

General

Start time (UTC):	06:09:21
Start date (UTC):	06/07/2025
Path:	/usr/bin/cp
Arguments:	cp /tmp/morte.arm7.elf /usr/bin/.sh
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5588, Parent PID: 5576

General

Start time (UTC):	06:09:22
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5590, Parent PID: 5588

General

Start time (UTC):	06:09:22
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5592, Parent PID: 5588

General

Start time (UTC):	06:09:22
Start date (UTC):	06/07/2025
Path:	/tmp/morte.arm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: gvfsd-fuse PID: 5598, Parent PID: 3147

General

Start time (UTC):	06:09:27
Start date (UTC):	06/07/2025
Path:	/usr/libexec/gvfsd-fuse
Arguments:	-
File size:	47632 bytes
MD5 hash:	d18fbf1cbf8eb57b17fac48b7b4be933

Chronological Activities

Analysis Process: fusermount PID: 5598, Parent PID: 3147

General

Start time (UTC):	06:09:27
Start date (UTC):	06/07/2025
Path:	/bin/fusermount
Arguments:	fusermount -u -q -z -- /run/user/1000/gvfs
File size:	39144 bytes
MD5 hash:	576a1b135c82bdcbc97a91acea900566

Chronological Activities

Analysis Process: Xorg PID: 5604, Parent PID: 1371

General

Start time (UTC):	06:09:27
Start date (UTC):	06/07/2025
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5604, Parent PID: 1371

General

Start time (UTC):	06:09:27
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5615, Parent PID: 5604

General

Start time (UTC):	06:09:27
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5615, Parent PID: 5604

General

Start time (UTC):	06:09:27
Start date (UTC):	06/07/2025
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Chronological Activities

Analysis Process: Xorg PID: 5619, Parent PID: 1371

General

Start time (UTC):	06:09:28
Start date (UTC):	06/07/2025
Path:	/usr/lib/xorg/Xorg
Arguments:	-
File size:	2448840 bytes
MD5 hash:	730cf4c45a7ee8bea88abf165463b7f8

Chronological Activities

Analysis Process: sh PID: 5619, Parent PID: 1371

General

Start time (UTC):	06:09:28
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5620, Parent PID: 5619

General

Start time (UTC):	06:09:28
Start date (UTC):	06/07/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: xkbcomp PID: 5620, Parent PID: 5619

General

Start time (UTC):	06:09:28
Start date (UTC):	06/07/2025
Path:	/usr/bin/xkbcomp
Arguments:	/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
File size:	217184 bytes
MD5 hash:	c5f953aec4c00d2a1cc27acb75d62c9b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
Tactics:	Impact
Data Sources:	File: File Creation, File: File Deletion, File: File Metadata, File: File Modification, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report morte.arm7.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/init.d/sysd

/tmp/qemu-open.umBfpN (deleted)

/tmp/server-0.xkm

/tmp/server-0.xkm (deleted)

/usr/bin/.sh

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

System Behavior

Analysis Process: morte.arm7.elf PID: 5572, Parent PID: 5487

General

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5574, Parent PID: 5572

General

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5576, Parent PID: 5574

General

Chronological Activities

Analysis Process: morte.arm7.elf PID: 5582, Parent PID: 5576

General

Chronological Activities

Linux Analysis Report
morte.arm7.elf