Linux Analysis Report
linux_ppc64.elf

Overview

General Information

Sample name: linux_ppc64.elf
Analysis ID: 1546475
MD5: 98399c166319247f27f42f6259b41abf
SHA1: 02d8328b44e017ea4cfee12aa30a5b7c4b717534
SHA256: 28e577cb88a75d558990c2098cb6a48814e44837ada09937f9cd2167289b54f3
Tags: elfuser-abuse_ch
Infos:

Detection

Chaos
Score: 80
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Yara detected Chaos
Drops files in suspicious directories
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Detected TCP or UDP traffic on non-standard ports
Drops files with innocent-looking names
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Executes the "systemctl" command used for controlling the systemd system and service manager
Reads CPU information from /sys indicative of miner or evasive malware
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Sleeps for long times indicative of sandbox evasion
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes shell script file to disk with an unusual file extension
Writes shell script files to disk

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: linux_ppc64.elf ReversingLabs: Detection: 42%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /tmp/linux_ppc64.elf (PID: 6256) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6363) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6745) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 42630 -> 8088
Source: unknown Network traffic detected: HTTP traffic on port 8088 -> 42630
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:34390 -> 149.88.76.121:808
Reads the 'hosts' file potentially containing internal network hosts
Source: /tmp/linux_ppc64.elf (PID: 6256) Reads hosts file: /etc/hosts Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /password.txt HTTP/1.1Host: 149.88.76.121:8088User-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qpadding bytes must all be zeros unless AllowIllegalWrites is enabledreflect: reflect.Value.UnsafePointer on an invalid notinheap pointerhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)tls: handshake message of length %d bytes exceeds maximum of %d bytestls: peer doesn't support the certificate custom signature algorithmsbytes.Buffer: UnreadByte: previous operation was not a successful readcannot convert slice with length %y to pointer to array with length %xgot %s for stream %d; expected CONTINUATION following %s for stream %dx509: PKCS#8 wrapping contained private key with unknown algorithm: %vx509: certificate relies on legacy Common Name field, use SANs insteadMozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)dynamic table size update MUST occur at the beginning of a header blockssh: no common algorithm for %s; client offered: %v, server offered: %vtls: peer doesn't support any of the certificate's signature algorithmstoo many concurrent operations on a single file or socket (max 1048575)x509: issuer has name constraints but leaf doesn't have a SAN extensionMozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)tls: server's certificate contains an unsupported type of public key: %Ttls: received unexpected handshake message of type %T when waiting for %T91289437fa036b34da55d57af6192768c27bd433fa012169d626d934e0051b24dd67dd3cf49d7cc827bc012d259d7ac226e70829239d7ac226e7082968de60d520eb433722c07fd236f6crypto/elliptic: internal error: Unmarshal rejected a valid point encodingmalformed response from server: malformed non-numeric status pseudo headernet/http: server replied with more than declared Content-Length; truncatedtls: certificate RSA key size too small for supported signature algorithmsUnsolicited response received on idle HTTP channel starting with %q; err=%vtls: internal error: attempted to read record with pending application datatls: failed to send closeNotify alert (but connection was closed anyway): %wtls: server certificate contains incorrect key type for selected ciphersuite((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}MapIter.Next called on an iterator that does not have an associated map Valuecrypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled115792089210356248762697446949407573529996955224135760342422259061068512044369115792089210356248762697446949407573530086143415290314195533631308867097853951ssh: internal error: algorithmSignerWrapper invoked with non-default algorithmssh: unable to authenticate, attempted methods %v, no supported methods remainx509: signature check attempt
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http: RoundTripper implementation (%T) returned a nil *Response with a nil errortls: either ServerName or InsecureSkipVerify must be specified in the tls.Configx509: invalid signature: parent certificate cannot sign this kind of certificaterefusing to use HTTP_PROXY value in CGI environment; see golang.org/s/cgihttpproxyx509: a root or intermediate certificate is not authorized to sign for this name: (possibly because of %q while trying to verify candidate authority certificate %q)Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)x509: issuer has name constraints but leaf contains unknown or unconstrained name: tls: downgrade attempt detected, possibly due to a MitM attack or a broken middleboxx509: signature algorithm specifies an %s public key, but have public key of type %Treflect.Value.Interface: cannot return value obtained from unexported field or methodx509: failed to parse private key (use ParseECPrivateKey instead for this key format)Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)x509: a root or intermediate certificate is not authorized for an extended key usage: fxfzUc6gtMGc/i26ld3KydGKy1k7QqyMMyxjbU1Rlk+F9LQxnaTeCHGHsDUpaBeOWDeY6l+2kHlB7EWTLcGwfg==whv+Kf1cEtOXzr+zuvmef2as0WfbUDm8l2LMWBMel10NDnbShg9CsMUt327VJhOTbXLoPYJVTKy8MBPCVwoT8A==x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)http2: server sent GOAWAY and closed the connection; LastStreamID=%v, ErrCode=%v, debug=%qapplication/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5tls: handshake hash for a client certificate requested after discarding the handshake buffertls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5faa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefhttp: RoundTripper implementation (%T) returned a *Response with content length %d but a nil BodyNoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher: the nonce can't have zero length, or the security of the key will be immediately compromised1.0.3<<RMS>> equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: 78789.dns.army
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)x509:
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://search.msn.com/msnbot.htm
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)000102030405060708091011121314151617181920212223242526272829
Source: system-monitor.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)Mozilla/5.0
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.baidu.com/search/spider.html)http2:
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.entireweb.com/about/search_tech/speedy_spider/)text/html
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.google.com/mobile/adsbot.html)
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.haosou.com/help/help_3_2.htmlMozilla/5.0
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.huaweisymantec.com/cn/IRL/spider)Mozilla/5.0
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://www.youdao.com/help/webmaster/spider/;)reflect:
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: http://yandex.com/bots)http:
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: https://search.yahoo.com/search?p=illegal
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: https://www.baidu.com/s?wd=insufficient
Source: linux_ppc64.elf, ss.18.dr, ps.18.dr, lsof.18.dr, bash_config.18.dr, system-monitor.18.dr String found in binary or memory: https://www.so.com/s?q=index
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /usr/bin/pkill (PID: 6363) SIGKILL sent: pid: 6259, result: successful
Source: /usr/bin/pkill (PID: 6745) SIGKILL sent: pid: 6470, result: successful
Source: classification engine Classification label: mal80.spre.troj.evad.linELF@0/104@4/0
Source: ELF file section Submission: linux_ppc64.elf
Source: ELF file section Dropped file: id.services.conf.12.dr
Source: ELF file section Dropped file: System.img.config.18.dr
Source: ELF file section Dropped file: bash_config.18.dr
Source: ELF file section Dropped file: libdlrpcld.so.18.dr
Source: ELF file section Dropped file: system-monitor.18.dr
Source: ELF file section Dropped file: ps.18.dr
Source: ELF file section Dropped file: ss.18.dr
Source: ELF file section Dropped file: ls.18.dr
Source: ELF file section Dropped file: dir.18.dr
Source: ELF file section Dropped file: netstat.18.dr
Source: ELF file section Dropped file: find.18.dr
Source: ELF file section Dropped file: lsof.18.dr

Persistence and Installation Behavior
barindex
Sample tries to persist itself using /etc/profile
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /etc/profile.d/bash_config.sh Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /etc/profile.d/bash_config Jump to behavior
Sample tries to persist itself using cron
Source: /usr/bin/bash (PID: 6598) File: /etc/crontab
Sample tries to set files in /etc globally writable
Source: /tmp/linux_ppc64.elf (PID: 6241) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6241) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes identical ELF files to multiple locations
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /etc/profile.d/bash_config Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/lsof Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/lib/system-monitor Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/lib/libdlrpcld.so Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/find Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /boot/System.img.config Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/dir Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6241) File with SHA-256 28E577CB88A75D558990C2098CB6A48814E44837ADA09937F9CD2167289B54F3 written: /etc/id.services.conf Jump to dropped file
Creates hidden files and/or directories
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /dev/.old Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /dev/.img Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /.img Jump to behavior
Source: /etc/id.services.conf (PID: 6762) File: /dev/.old
Source: /etc/id.services.conf (PID: 6762) File: /dev/.img
Source: /boot/System.img.config (PID: 6471) File: /dev/.old
Source: /boot/System.img.config (PID: 6471) File: /dev/.img
Creates hidden files without content (potentially used as a mutex)
Source: /boot/System.img.config (PID: 6471) Empty hidden file: /dev/.old
Source: /boot/System.img.config (PID: 6471) Empty hidden file: /dev/.img
Enumerates processes within the "proc" file system
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6351/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6351/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6351/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6351/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6350/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6350/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6350/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6350/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6471/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6471/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6353/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6353/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6353/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6353/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6474/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6474/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6474/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6474/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6474/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6474/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6352/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6352/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6352/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6352/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6473/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6355/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6355/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6355/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6355/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6354/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6475/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6357/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6357/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6357/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6356/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6356/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6356/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/6356/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File opened: /proc/1582/stat Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/linux_ppc64.elf (PID: 6246) Shell command executed: /bin/bash -c /etc/32678& Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6320) Shell command executed: /bin/bash -c "cd /boot;systemctl daemon-reload;systemctl enable linux.service;systemctl start linux.service;journalctl -xe --no-pager"
Source: /tmp/linux_ppc64.elf (PID: 6547) Shell command executed: /bin/bash -c "cd /boot;ausearch -c 'System.img.conf' --raw | audit2allow -M my-Systemimgconf;semodule -X 300 -i my-Systemimgconf.pp"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /boot/System.img.config (PID: 6363) Pkill executable: /usr/bin/pkill -> pkill -9 32678
Source: /etc/id.services.conf (PID: 6745) Pkill executable: /usr/bin/pkill -> pkill -9 32678
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 6252) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service Jump to behavior
Source: /usr/sbin/service (PID: 6275) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 6283) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/update-rc.d (PID: 6287) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6326) Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/bash (PID: 6333) Systemctl executable: /usr/bin/systemctl -> systemctl enable linux.service
Source: /bin/bash (PID: 6338) Systemctl executable: /usr/bin/systemctl -> systemctl start linux.service
Source: /usr/sbin/service (PID: 6680) Systemctl executable: /usr/bin/systemctl -> systemctl start cron.service
Source: /usr/sbin/service (PID: 6687) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6689) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /tmp/linux_ppc64.elf (PID: 6718) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6756) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6771) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6779) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 6468) Systemctl executable: /usr/bin/systemctl -> systemctl start crond.service
Source: /usr/sbin/service (PID: 6506) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6529) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Sample tries to set the executable flag
Source: /tmp/linux_ppc64.elf (PID: 6241) File: /etc/id.services.conf (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6241) File: /etc/32678 (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /boot/System.img.config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /etc/profile.d/bash_config (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/lib/libdlrpcld.so (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/lib/system-monitor (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/ps (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/ss (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/ls (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/dir (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/netstat (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/find (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/lsof (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/linux_ppc64.elf (PID: 6241) File written: /etc/id.services.conf Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /boot/System.img.config Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /etc/profile.d/bash_config Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/lib/libdlrpcld.so Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/lib/system-monitor Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/dir Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/find Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File written: /usr/bin/lsof Jump to dropped file
Writes shell script file to disk with an unusual file extension
Source: /tmp/linux_ppc64.elf (PID: 6241) Writes shell script file to disk with an unusual file extension: /etc/32678 Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Writes shell script file to disk with an unusual file extension: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Writes shell script file to disk with an unusual file extension: /.img Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Writes shell script file to disk with an unusual file extension: /etc/init.d/ssh Jump to dropped file
Writes shell script files to disk
Source: /tmp/linux_ppc64.elf (PID: 6256) Shell script file created: /etc/profile.d/bash_config.sh Jump to dropped file
Source: /usr/sbin/service (PID: 6284) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 6690) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6780) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6530) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

Hooking and other Techniques for Hiding and Protection
barindex
Drops files in suspicious directories
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /etc/init.d/linux_kill Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /etc/init.d/ssh Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/dir Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/find Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) File: /usr/bin/lsof Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 42630 -> 8088
Source: unknown Network traffic detected: HTTP traffic on port 8088 -> 42630
Drops files with innocent-looking names
Source: /tmp/linux_ppc64.elf (PID: 6256) Path: /usr/bin/ps Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Path: /usr/bin/ss Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Path: /usr/bin/ls Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Path: /usr/bin/netstat Jump to dropped file
Source: /tmp/linux_ppc64.elf (PID: 6256) Path: /usr/bin/lsof Jump to dropped file
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Source: /etc/32678 (PID: 6267) Sleep executable: /usr/bin/sleep -> sleep 60 Jump to behavior
Source: /etc/32678 (PID: 6475) Sleep executable: /usr/bin/sleep -> sleep 60
Source: /etc/32678 (PID: 6768) Sleep executable: /usr/bin/sleep -> sleep 60
Reads CPU information from /sys indicative of miner or evasive malware
Source: /tmp/linux_ppc64.elf (PID: 6256) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6363) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Sleeps for long times indicative of sandbox evasion
Source: /usr/bin/sleep (PID: 6267) Sleeps longer then 60s: 60.0s Jump to behavior
Source: /usr/bin/sleep (PID: 6475) Sleeps longer then 60s: 60.0s
Source: /usr/bin/sleep (PID: 6768) Sleeps longer then 60s: 60.0s
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/linux_ppc64.elf (PID: 6241) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6246) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/linux_ppc64.elf (PID: 6256) Queries kernel information via 'uname': Jump to behavior
Source: /bin/bash (PID: 6320) Queries kernel information via 'uname':
Source: /bin/bash (PID: 6547) Queries kernel information via 'uname':
Source: /usr/bin/bash (PID: 6598) Queries kernel information via 'uname':
Source: /boot/System.img.config (PID: 6354) Queries kernel information via 'uname':
Source: /etc/id.services.conf (PID: 6740) Queries kernel information via 'uname':
Source: /etc/id.services.conf (PID: 6762) Queries kernel information via 'uname':
Source: /boot/System.img.config (PID: 6471) Queries kernel information via 'uname':
Source: System.img.config, 6471.1.00007ffe3066c000.00007ffe3068d000.rw-.sdmp Binary or memory string: /usr/bin/qemu-ppc64
Source: System.img.config, 6471.1.000056361c5de000.000056361caa7000.rw-.sdmp Binary or memory string: 6V!/etc/qemu-binfmt/ppc64
Source: id.services.conf, 6762.1.000055c4a2f2b000.000055c4a33cd000.rw-.sdmp Binary or memory string: U0!/etc/qemu-binfmt/ppc64
Source: systemd, 6354.1.00007ffd94c81000.00007ffd94ca2000.rw-.sdmp, System.img.config, 6354.1.00007ffd94c81000.00007ffd94ca2000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc64/boot/System.img.configLANG=en_US.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binINVOCATION_ID=7c89bd964dfe4f17a46a722967a73267JOURNAL_STREAM=9:75866/boot/System.img.config
Source: linux_ppc64.elf, 6241.1.0000555a21acf000.0000555a21f8c000.rw-.sdmp Binary or memory string: !ZU!/etc/qemu-binfmt/ppc64
Source: systemd, 6354.1.0000557823d16000.00005578241d7000.rw-.sdmp, System.img.config, 6354.1.0000557823d16000.00005578241d7000.rw-.sdmp Binary or memory string: #xU!/etc/qemu-binfmt/ppc64
Source: 32678, 6740.1.00007fff85118000.00007fff85139000.rw-.sdmp, id.services.conf, 6740.1.00007fff85118000.00007fff85139000.rw-.sdmp Binary or memory string: +x86_64/usr/bin/qemu-ppc64/etc/id.services.confJOURNAL_STREAM=9:75866PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binINVOCATION_ID=7c89bd964dfe4f17a46a722967a73267LANG=en_US.UTF-8PWD=//etc/id.services.conf
Source: linux_ppc64.elf, 6241.1.00007ffcbab49000.00007ffcbab6a000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-ppc64/tmp/linux_ppc64.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/linux_ppc64.elf
Source: System.img.config, 6471.1.000056361c5de000.000056361caa7000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/ppc64
Source: id.services.conf, 6762.1.00007ffc998a6000.00007ffc998c7000.rw-.sdmp Binary or memory string: !+^q.x86_64/usr/bin/qemu-ppc64/etc/id.services.conf
Source: System.img.config, 6471.1.00007ffe3066c000.00007ffe3068d000.rw-.sdmp Binary or memory string: (*x86_64/usr/bin/qemu-ppc64/boot/System.img.config

Stealing of Sensitive Information
barindex
Yara detected Chaos
Source: Yara match File source: linux_ppc64.elf, type: SAMPLE
Source: Yara match File source: /usr/bin/ss, type: DROPPED
Source: Yara match File source: /usr/bin/lsof, type: DROPPED
Source: Yara match File source: /etc/profile.d/bash_config, type: DROPPED
Source: Yara match File source: /boot/System.img.config, type: DROPPED
Source: Yara match File source: /usr/bin/find, type: DROPPED
Source: Yara match File source: /usr/bin/ls, type: DROPPED
Source: Yara match File source: /usr/bin/netstat, type: DROPPED
Source: Yara match File source: /usr/bin/dir, type: DROPPED
Source: Yara match File source: /usr/bin/ps, type: DROPPED
Source: Yara match File source: /usr/lib/libdlrpcld.so, type: DROPPED
Source: Yara match File source: /usr/lib/system-monitor, type: DROPPED
Source: Yara match File source: /etc/id.services.conf, type: DROPPED

Remote Access Functionality
barindex
Yara detected Chaos
Source: Yara match File source: linux_ppc64.elf, type: SAMPLE
Source: Yara match File source: /usr/bin/ss, type: DROPPED
Source: Yara match File source: /usr/bin/lsof, type: DROPPED
Source: Yara match File source: /etc/profile.d/bash_config, type: DROPPED
Source: Yara match File source: /boot/System.img.config, type: DROPPED
Source: Yara match File source: /usr/bin/find, type: DROPPED
Source: Yara match File source: /usr/bin/ls, type: DROPPED
Source: Yara match File source: /usr/bin/netstat, type: DROPPED
Source: Yara match File source: /usr/bin/dir, type: DROPPED
Source: Yara match File source: /usr/bin/ps, type: DROPPED
Source: Yara match File source: /usr/lib/libdlrpcld.so, type: DROPPED
Source: Yara match File source: /usr/lib/system-monitor, type: DROPPED
Source: Yara match File source: /etc/id.services.conf, type: DROPPED

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
149.88.76.121
 78789.dns.army United States
188 SAIC-ASUS false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
78789.dns.army 149.88.76.121 true
www.google.com 142.250.185.100 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://149.88.76.121:8088/password.txt false
    		unknown