Fernando Domínguez Delgado | 01 Dec 2016 | to read ( words) In this post I will analyze one on the ELF files captured on my honeypot. First, a dynamic analysis will be performed. Once we aknowledge it's behaviour we will move onto a more in-deep static analysis. Let's start! We are presented with a 32-bit ELF un-stripped executable. $ file 05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf 05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped, too many notes (256) Executing the malware sample with Wireshark listening on our routing machine shows that our sample is trying to contact server 218.2.0.127 and port 48080 . IP Geolocation yields the following And it looks like there is no domain associated to the IP add...