Linux Analysis Report
mKBZo65Fcb.elf

Overview

General Information

Sample name: mKBZo65Fcb.elf
renamed because original name is a hash value
Original sample name: 6faa9a7c3901049e897bb746be193aaf.elf
Analysis ID: 1447592
MD5: 6faa9a7c3901049e897bb746be193aaf
SHA1: fc9e52304a18109a56ae70176cc6e0a02920cc45
SHA256: 792bec7d7c06da5c0672a4545b2d20f1492587a22ab652ed1be9797c6d699174
Tags: 32elfmiraimotorola
Infos:

Detection

Mirai
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mKBZo65Fcb.elf ReversingLabs: Detection: 63%
Source: mKBZo65Fcb.elf Virustotal: Detection: 56% Perma Link
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:51946 -> 91.92.240.97:1312
Sample listens on a socket
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) Socket: 0.0.0.0::0 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.240.97
Source: unknown TCP traffic detected without corresponding DNS query: 13.100.199.221
Source: unknown TCP traffic detected without corresponding DNS query: 92.106.112.202
Source: unknown TCP traffic detected without corresponding DNS query: 248.140.178.18
Source: unknown TCP traffic detected without corresponding DNS query: 31.206.179.123
Source: unknown TCP traffic detected without corresponding DNS query: 177.88.60.53
Source: unknown TCP traffic detected without corresponding DNS query: 121.249.15.2
Source: unknown TCP traffic detected without corresponding DNS query: 165.178.50.221
Source: unknown TCP traffic detected without corresponding DNS query: 223.86.58.19
Source: unknown TCP traffic detected without corresponding DNS query: 59.142.189.15
Source: unknown TCP traffic detected without corresponding DNS query: 45.49.199.24
Source: unknown TCP traffic detected without corresponding DNS query: 178.236.151.157
Source: unknown TCP traffic detected without corresponding DNS query: 211.52.121.220
Source: unknown TCP traffic detected without corresponding DNS query: 64.246.229.137
Source: unknown TCP traffic detected without corresponding DNS query: 19.102.112.196
Source: unknown TCP traffic detected without corresponding DNS query: 43.78.157.178
Source: unknown TCP traffic detected without corresponding DNS query: 37.215.116.131
Source: unknown TCP traffic detected without corresponding DNS query: 203.113.114.232
Source: unknown TCP traffic detected without corresponding DNS query: 75.224.211.35
Source: unknown TCP traffic detected without corresponding DNS query: 67.176.29.86
Source: unknown TCP traffic detected without corresponding DNS query: 107.248.220.3
Source: unknown TCP traffic detected without corresponding DNS query: 27.201.11.20
Source: unknown TCP traffic detected without corresponding DNS query: 164.122.42.37
Source: unknown TCP traffic detected without corresponding DNS query: 179.244.227.165
Source: unknown TCP traffic detected without corresponding DNS query: 199.99.165.41
Source: unknown TCP traffic detected without corresponding DNS query: 198.182.87.3
Source: unknown TCP traffic detected without corresponding DNS query: 221.147.129.163
Source: unknown TCP traffic detected without corresponding DNS query: 83.27.161.5
Source: unknown TCP traffic detected without corresponding DNS query: 36.50.222.88
Source: unknown TCP traffic detected without corresponding DNS query: 145.251.223.215
Source: unknown TCP traffic detected without corresponding DNS query: 91.116.11.202
Source: unknown TCP traffic detected without corresponding DNS query: 108.78.112.194
Source: unknown TCP traffic detected without corresponding DNS query: 182.9.18.95
Source: unknown TCP traffic detected without corresponding DNS query: 170.26.48.201
Source: unknown TCP traffic detected without corresponding DNS query: 197.242.141.228
Source: unknown TCP traffic detected without corresponding DNS query: 24.231.233.252
Source: unknown TCP traffic detected without corresponding DNS query: 155.0.147.181
Source: unknown TCP traffic detected without corresponding DNS query: 213.237.246.221
Source: unknown TCP traffic detected without corresponding DNS query: 34.132.29.161
Source: unknown TCP traffic detected without corresponding DNS query: 4.39.169.202
Source: unknown TCP traffic detected without corresponding DNS query: 69.37.150.203
Source: unknown TCP traffic detected without corresponding DNS query: 116.222.21.239
Source: unknown TCP traffic detected without corresponding DNS query: 109.72.254.248
Source: unknown TCP traffic detected without corresponding DNS query: 68.244.118.74
Source: unknown TCP traffic detected without corresponding DNS query: 202.4.186.78
Source: unknown TCP traffic detected without corresponding DNS query: 53.134.2.110
Source: unknown TCP traffic detected without corresponding DNS query: 130.195.17.120
Source: unknown TCP traffic detected without corresponding DNS query: 59.107.103.198
Source: unknown TCP traffic detected without corresponding DNS query: 221.196.36.59
Source: unknown TCP traffic detected without corresponding DNS query: 248.42.72.27
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknown Network traffic detected: HTTP traffic on port 46540 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: mKBZo65Fcb.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: mKBZo65Fcb.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5589.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5589.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5604.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5604.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5462.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5462.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5470.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5470.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5460.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5460.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5594.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5594.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5583.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5583.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5463.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5463.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5462, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5462, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5589, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5589, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5594, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5594, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5604, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5604, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) SIGKILL sent: pid: 940, result: successful Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) SIGKILL sent: pid: 940, result: successful Jump to behavior
Yara signature match
Source: mKBZo65Fcb.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: mKBZo65Fcb.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5589.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5589.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5604.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5604.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5462.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5462.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5470.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5470.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5460.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5460.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5594.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5594.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5583.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5583.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5463.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5463.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5462, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5462, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5589, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5589, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5594, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5594, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5604, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: mKBZo65Fcb.elf PID: 5604, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engine Classification label: mal64.troj.linELF@0/0@2/0
Enumerates processes within the "proc" file system
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/490/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/791/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/794/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/795/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/797/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/853/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/917/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/780/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/1/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/661/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/782/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/785/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/940/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/767/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/800/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/888/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/801/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/725/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/769/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/726/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/803/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/806/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/807/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5462) File opened: /proc/928/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/490/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/791/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/794/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/795/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/797/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/853/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/917/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/780/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/1/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/661/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/782/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/785/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/940/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/767/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/800/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/888/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/801/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/725/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/769/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/726/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/803/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/806/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/807/fd Jump to behavior
Source: /tmp/mKBZo65Fcb.elf (PID: 5468) File opened: /proc/928/fd Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/mKBZo65Fcb.elf (PID: 5460) Queries kernel information via 'uname': Jump to behavior
Source: mKBZo65Fcb.elf, 5460.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5462.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5589.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5604.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5594.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5463.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5583.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5470.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: mKBZo65Fcb.elf, 5460.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5462.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5589.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5604.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5594.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5463.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5583.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp, mKBZo65Fcb.elf, 5470.1.00007ffceab09000.00007ffceab2a000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/mKBZo65Fcb.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mKBZo65Fcb.elf
Source: mKBZo65Fcb.elf, 5460.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5462.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5589.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5604.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5594.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5463.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5583.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5470.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: mKBZo65Fcb.elf, 5460.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5462.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5589.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5604.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5594.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5463.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5583.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp, mKBZo65Fcb.elf, 5470.1.0000560b27ae2000.0000560b27b68000.rw-.sdmp Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: mKBZo65Fcb.elf, type: SAMPLE
Source: Yara match File source: 5589.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5604.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5462.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5470.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5460.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5594.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5583.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5463.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: mKBZo65Fcb.elf, type: SAMPLE
Source: Yara match File source: 5589.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5604.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5462.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5470.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5460.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5594.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5583.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5463.1.00007fc590001000.00007fc590016000.r-x.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.167.211.188
 unknown Germany
8881 VERSATELDE false
221.134.177.91
 unknown India
9583 SIFY-AS-INSifyLimitedIN false
53.189.37.190
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
116.97.166.75
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN false
77.143.113.106
 unknown France
49902 SRR-ASFR false
196.115.0.216
 unknown Morocco
36925 ASMediMA false
150.148.10.103
 unknown United States
22828 ASN-FDAUS false
102.228.74.53
 unknown unknown
36926 CKL1-ASNKE false
39.179.211.162
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
46.147.217.127
 unknown Russian Federation
57378 ROSTOV-ASRU false
63.190.130.133
 unknown United States
1239 SPRINTLINKUS false
148.232.117.8
 unknown Mexico
28414 TOTALPLAYTELECOMUNICACIONESSADECVMX false
250.40.68.245
 unknown Reserved
unknown unknown false
17.104.107.136
 unknown United States
714 APPLE-ENGINEERINGUS false
161.62.34.200
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
17.230.117.103
 unknown United States
714 APPLE-ENGINEERINGUS false
160.108.150.38
 unknown United States
715 WOODYNET-2US false
114.40.215.197
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
248.46.57.31
 unknown Reserved
unknown unknown false
107.227.191.98
 unknown United States
7018 ATT-INTERNET4US false
211.40.72.79
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
240.237.149.40
 unknown Reserved
unknown unknown false
142.69.131.121
 unknown Canada
14817 SCL-SHAWCA false
212.190.194.232
 unknown Belgium
702 UUNETUS false
115.79.190.137
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN false
124.13.41.66
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
203.54.65.68
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
171.14.155.129
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
168.177.12.161
 unknown United States
11663 SUG-1US false
186.156.236.49
 unknown Chile
22047 VTRBANDAANCHASACL false
31.150.140.206
 unknown Germany
9145 EWETELCloppenburgerStrasse310DE false
147.99.28.79
 unknown France
2200 FR-RENATERReseauNationaldetelecommunicationspourlaTec false
194.57.136.25
 unknown France
2200 FR-RENATERReseauNationaldetelecommunicationspourlaTec false
122.79.250.96
 unknown China
63711 CTTNETChinaTieTongTelecommunicationsCorporationCN false
23.216.221.197
 unknown United States
16625 AKAMAI-ASUS false
197.199.166.207
 unknown Egypt
36992 ETISALAT-MISREG false
185.190.40.179
 unknown Russian Federation
48043 OZYORSK-TELECOM-ASRU false
163.54.105.65
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
201.249.189.59
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE false
194.213.46.230
 unknown Czech Republic
5588 GTSCEGTSCentralEuropeAntelGermanyCZ false
66.125.28.50
 unknown United States
7132 SBIS-ASUS false
62.28.37.209
 unknown Portugal
15525 MEO-EMPRESASPT false
13.198.249.148
 unknown United States
7018 ATT-INTERNET4US false
66.65.108.175
 unknown United States
12271 TWC-12271-NYCUS false
5.210.100.148
 unknown Iran (ISLAMIC Republic Of)
197207 MCCI-ASIR false
116.118.167.219
 unknown Taiwan; Republic of China (ROC)
18049 TINP-TWTaiwanInfrastructureNetworkTechnologieTW false
148.15.243.82
 unknown United States
394673 9408US false
98.187.110.125
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
85.225.228.56
 unknown Sweden
2119 TELENOR-NEXTELTelenorNorgeASNO false
67.66.161.98
 unknown United States
7018 ATT-INTERNET4US false
113.230.132.50
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
95.157.31.52
 unknown Germany
35244 KMS-DE_ASDE false
190.190.111.215
 unknown Argentina
10481 TelecomArgentinaSAAR false
20.71.144.219
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
42.143.115.161
 unknown China
4249 LILLY-ASUS false
58.245.211.12
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
163.54.105.51
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
91.183.234.13
 unknown Belgium
5432 PROXIMUS-ISP-ASBE false
90.135.166.80
 unknown Sweden
1257 TELE2EU false
157.249.142.121
 unknown Norway
224 UNINETTUNINETTTheNorwegianUniversityResearchNetwork false
5.16.29.38
 unknown Russian Federation
51570 SPB-ASRU false
157.6.53.148
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
221.184.172.80
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
31.242.82.124
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
121.195.89.128
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
2.36.96.221
 unknown Italy
30722 VODAFONE-IT-ASNIT false
148.194.8.46
 unknown United States
18819 ENTERGY-CORP-US false
111.132.36.100
 unknown China
24138 CTTNETChinaTieTongTelecommunicationsCorporationCN false
104.239.109.236
 unknown United States
6762 SEABONE-NETTELECOMITALIASPARKLESpAIT false
185.237.202.133
 unknown Spain
29119 SERVIHOSTING-ASAireNetworksES false
175.2.61.80
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
219.13.202.77
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
89.25.179.22
 unknown Poland
31242 TKPSA-ASPL false
149.182.164.165
 unknown United Kingdom
87 INDIANA-ASUS false
27.112.194.74
 unknown Korea Republic of
18310 VITSSEN-AS-KRTBROADABCBROADCASTINGCOLTDKR false
212.60.167.135
 unknown Austria
1901 EUNETAT-ASA1TelekomAustriaAGAT false
249.190.228.69
 unknown Reserved
unknown unknown false
135.76.111.102
 unknown United States
18676 AVAYAUS false
206.69.30.216
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
113.84.190.244
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
187.195.234.239
 unknown Mexico
8151 UninetSAdeCVMX false
88.43.100.192
 unknown Italy
3269 ASN-IBSNAZIT false
106.96.40.203
 unknown Korea Republic of
17853 LGTELECOM-AS-KRLGTELECOMKR false
85.140.83.134
 unknown Russian Federation
39001 MTSRU false
149.34.159.218
 unknown United States
35699 ADAMOEU-ASAdamoTelecomIberiaSAES false
38.125.234.103
 unknown United States
395111 KVCNET-2009US false
212.194.217.247
 unknown France
5410 BOUYGTEL-ISPFR false
186.161.182.129
 unknown Peru
21575 ENTELPERUSAPE false
88.42.73.173
 unknown Italy
3269 ASN-IBSNAZIT false
179.117.180.47
 unknown Brazil
26599 TELEFONICABRASILSABR false
167.3.91.243
 unknown United States
6448 QADUS false
121.92.111.119
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
89.152.61.49
 unknown Portugal
2860 NOS_COMUNICACOESPT false
197.4.248.17
 unknown Tunisia
5438 ATI-TN false
191.215.26.170
 unknown Brazil
7738 TelemarNorteLesteSABR false
222.66.105.133
 unknown China
4812 CHINANET-SH-APChinaTelecomGroupCN false
69.65.222.134
 unknown United States
10421 TTUNETUS false
80.120.68.204
 unknown Austria
8447 TELEKOM-ATA1TelekomAustriaAGAT false
97.130.116.54
 unknown United States
6167 CELLCO-PARTUS false
253.82.17.138
 unknown Reserved
unknown unknown false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true