Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
yS7c2Bzlu2.elf

Overview

General Information

Sample Name:yS7c2Bzlu2.elf
Analysis ID:756319
MD5:8e6aff3da112a5408390546bda8e6e6d
SHA1:f9cd20a46b0e506506c8a7eeddd4d5363cb2f720
SHA256:c5771288e2b0bfa97a91236682aefbc565998f4d040b825564f1f6da2e36e9eb
Tags:32armelfgafgyt
Infos:

Detection

Mirai
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Yara signature match
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:756319
Start date and time:2022-11-30 01:13:37 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:yS7c2Bzlu2.elf
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal76.spre.troj.linELF@0/0@0/0
Command:/tmp/yS7c2Bzlu2.elf
PID:6228
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate alot
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
yS7c2Bzlu2.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    yS7c2Bzlu2.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
    • 0x15b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15c9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15cb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15cc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    • 0x15cd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
    yS7c2Bzlu2.elfLinux_Trojan_Gafgyt_6a510422unknownunknown
    • 0x1b9e:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
    yS7c2Bzlu2.elfLinux_Trojan_Gafgyt_d2953f92unknownunknown
    • 0x1aae:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
    SourceRuleDescriptionAuthorStrings
    6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x15b48:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b5c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b70:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b84:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15b98:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bc0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bd4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15be8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15bfc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c10:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c24:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c38:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c4c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c60:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c74:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c88:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15c9c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15cb0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15cc4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x15cd8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmpLinux_Trojan_Gafgyt_6a510422unknownunknown
      • 0x1b9e:$a: 0B E5 24 30 1B E5 2C 30 0B E5 1C 00 00 EA 18 30 1B E5 00 30
      6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmpLinux_Trojan_Gafgyt_d2953f92unknownunknown
      • 0x1aae:$a: 1B E5 2A 00 53 E3 0A 00 00 0A 30 30 1B E5 3F 00 53 E3 23 00
      6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        Click to see the 10 entries
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: yS7c2Bzlu2.elfAvira: detected
        Source: yS7c2Bzlu2.elfReversingLabs: Detection: 73%
        Source: yS7c2Bzlu2.elfVirustotal: Detection: 69%Perma Link

        Spreading

        barindex
        Source: /tmp/yS7c2Bzlu2.elf (PID: 6228)Opens: /proc/net/routeJump to behavior
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: global trafficTCP traffic: 192.168.2.23:38500 -> 47.87.197.232:576
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232
        Source: unknownTCP traffic detected without corresponding DNS query: 47.87.197.232

        System Summary

        barindex
        Source: yS7c2Bzlu2.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: yS7c2Bzlu2.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
        Source: yS7c2Bzlu2.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
        Source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
        Source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
        Source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
        Source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
        Source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
        Source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
        Source: Process Memory Space: yS7c2Bzlu2.elf PID: 6228, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: yS7c2Bzlu2.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: Process Memory Space: yS7c2Bzlu2.elf PID: 6232, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
        Source: yS7c2Bzlu2.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: yS7c2Bzlu2.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
        Source: yS7c2Bzlu2.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
        Source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
        Source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
        Source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
        Source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
        Source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
        Source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
        Source: Process Memory Space: yS7c2Bzlu2.elf PID: 6228, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: yS7c2Bzlu2.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: Process Memory Space: yS7c2Bzlu2.elf PID: 6232, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
        Source: classification engineClassification label: mal76.spre.troj.linELF@0/0@0/0
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: /home/landley/work/ab7/build/temp-armv6l/gcc-core/gcc/config/arm/lib1funcs.asm
        Source: yS7c2Bzlu2.elfELF static info symbol of initial sample: libc/string/arm/_memcpy.S
        Source: /tmp/yS7c2Bzlu2.elf (PID: 6228)Queries kernel information via 'uname': Jump to behavior
        Source: yS7c2Bzlu2.elf, 6228.1.00005563cae39000.00005563caf88000.rw-.sdmp, yS7c2Bzlu2.elf, 6231.1.00005563cae39000.00005563caf88000.rw-.sdmp, yS7c2Bzlu2.elf, 6232.1.00005563cae39000.00005563caf88000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
        Source: yS7c2Bzlu2.elf, 6228.1.00005563cae39000.00005563caf88000.rw-.sdmp, yS7c2Bzlu2.elf, 6231.1.00005563cae39000.00005563caf88000.rw-.sdmp, yS7c2Bzlu2.elf, 6232.1.00005563cae39000.00005563caf88000.rw-.sdmpBinary or memory string: cU!/etc/qemu-binfmt/arm
        Source: yS7c2Bzlu2.elf, 6228.1.00007fffcb23a000.00007fffcb25b000.rw-.sdmp, yS7c2Bzlu2.elf, 6231.1.00007fffcb23a000.00007fffcb25b000.rw-.sdmp, yS7c2Bzlu2.elf, 6232.1.00007fffcb23a000.00007fffcb25b000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
        Source: yS7c2Bzlu2.elf, 6228.1.00007fffcb23a000.00007fffcb25b000.rw-.sdmp, yS7c2Bzlu2.elf, 6231.1.00007fffcb23a000.00007fffcb25b000.rw-.sdmp, yS7c2Bzlu2.elf, 6232.1.00007fffcb23a000.00007fffcb25b000.rw-.sdmpBinary or memory string: !)x86_64/usr/bin/qemu-arm/tmp/yS7c2Bzlu2.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yS7c2Bzlu2.elf

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: yS7c2Bzlu2.elf, type: SAMPLE
        Source: Yara matchFile source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORY
        Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
        Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
        Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
        Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
        Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
        Source: Initial sampleUser agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
        Source: Initial sampleUser agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
        Source: Initial sampleUser agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
        Source: Initial sampleUser agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
        Source: Initial sampleUser agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: yS7c2Bzlu2.elf, type: SAMPLE
        Source: Yara matchFile source: 6231.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6232.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORY
        Source: Yara matchFile source: 6228.1.00007f2b1c017000.00007f2b1c030000.r-x.sdmp, type: MEMORY
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping11
        Security Software Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Data Obfuscation
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
        Remote System Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Encrypted Channel
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Non-Standard Port
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
        Application Layer Protocol
        SIM Card SwapCarrier Billing Fraud
        No configs have been found
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Number of created Files
        • Is malicious
        • Internet
        SourceDetectionScannerLabelLink
        yS7c2Bzlu2.elf73%ReversingLabsLinux.Trojan.Gafgyt
        yS7c2Bzlu2.elf70%VirustotalBrowse
        yS7c2Bzlu2.elf100%AviraLINUX/Gafgyt.opnd
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No contacted domains info
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        47.87.197.232
        unknownUnited States
        3209VODANETInternationalIP-BackboneofVodafoneDEfalse
        109.202.202.202
        unknownSwitzerland
        13030INIT7CHfalse
        91.189.91.43
        unknownUnited Kingdom
        41231CANONICAL-ASGBfalse
        91.189.91.42
        unknownUnited Kingdom
        41231CANONICAL-ASGBfalse
        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        47.87.197.232p0hr6mFo4a.elfGet hashmaliciousBrowse
          109.202.202.202p0hr6mFo4a.elfGet hashmaliciousBrowse
            portainerGet hashmaliciousBrowse
              l.out.elfGet hashmaliciousBrowse
                SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                  8LzAAQOA5F.elfGet hashmaliciousBrowse
                    GzQ3LRVbSB.elfGet hashmaliciousBrowse
                      QIsLuTv1ka.elfGet hashmaliciousBrowse
                        FIieajcRYe.elfGet hashmaliciousBrowse
                          o9epZmdr6x.elfGet hashmaliciousBrowse
                            auD8Kknsmc.elfGet hashmaliciousBrowse
                              7Cz3REBlrI.elfGet hashmaliciousBrowse
                                R2YElGmM5e.elfGet hashmaliciousBrowse
                                  sora.arm7.elfGet hashmaliciousBrowse
                                    sora.x86.elfGet hashmaliciousBrowse
                                      SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                        sora.arm7.elfGet hashmaliciousBrowse
                                          sora.x86.elfGet hashmaliciousBrowse
                                            YziyrKNTFz.elfGet hashmaliciousBrowse
                                              9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                CZr4ZXLsLeGet hashmaliciousBrowse
                                                  91.189.91.43p0hr6mFo4a.elfGet hashmaliciousBrowse
                                                    portainerGet hashmaliciousBrowse
                                                      l.out.elfGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                          8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                            GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                              QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                FIieajcRYe.elfGet hashmaliciousBrowse
                                                                  o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                    auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                      7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                        R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                            sora.x86.elfGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                sora.arm7.elfGet hashmaliciousBrowse
                                                                                  sora.x86.elfGet hashmaliciousBrowse
                                                                                    YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                      9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                        CZr4ZXLsLeGet hashmaliciousBrowse
                                                                                          No context
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          CANONICAL-ASGBp0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          portainerGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          l.out.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          FIieajcRYe.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          CZr4ZXLsLeGet hashmaliciousBrowse
                                                                                          • 91.189.91.42
                                                                                          INIT7CHp0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          portainerGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          l.out.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          SecuriteInfo.com.Linux.Siggen.4218.14490.21271.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          8LzAAQOA5F.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          GzQ3LRVbSB.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          QIsLuTv1ka.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          FIieajcRYe.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          o9epZmdr6x.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          auD8Kknsmc.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          7Cz3REBlrI.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          R2YElGmM5e.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          SecuriteInfo.com.Linux.Siggen.4218.31945.1125.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.arm7.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          sora.x86.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          YziyrKNTFz.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          9FrHfq70Fi.elfGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          CZr4ZXLsLeGet hashmaliciousBrowse
                                                                                          • 109.202.202.202
                                                                                          VODANETInternationalIP-BackboneofVodafoneDEp0hr6mFo4a.elfGet hashmaliciousBrowse
                                                                                          • 47.87.197.232
                                                                                          7HuJu44thW.elfGet hashmaliciousBrowse
                                                                                          • 188.110.182.82
                                                                                          Yw0HhtLWAz.elfGet hashmaliciousBrowse
                                                                                          • 188.109.141.7
                                                                                          MZbxLJqYM3.elfGet hashmaliciousBrowse
                                                                                          • 2.203.197.21
                                                                                          oAUrOBvfbV.elfGet hashmaliciousBrowse
                                                                                          • 2.205.253.113
                                                                                          jew.x86.elfGet hashmaliciousBrowse
                                                                                          • 88.73.217.45
                                                                                          3y849k7eIG.elfGet hashmaliciousBrowse
                                                                                          • 188.97.131.92
                                                                                          ewfDbhCyw3.elfGet hashmaliciousBrowse
                                                                                          • 188.107.42.3
                                                                                          wIUY7HguZD.elfGet hashmaliciousBrowse
                                                                                          • 88.68.114.1
                                                                                          87uWrdTuhh.elfGet hashmaliciousBrowse
                                                                                          • 94.221.53.89
                                                                                          tYV5avLJzh.elfGet hashmaliciousBrowse