Linux Analysis Report
yakuza.arm7.elf

Overview

General Information

Sample name: yakuza.arm7.elf
Analysis ID: 1561400
MD5: ff372adbc5e569cff7db7dc149fab189
SHA1: 7348cab16bb9a6cc5e8fcbdb8b42b5db478efbde
SHA256: fded14fcb77f6abfebea70c812efa1d72cbbd54f38fb233bc7290bd264d565e7
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yakuza.arm7.elf ReversingLabs: Detection: 50%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5513) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5556) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5560) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5567) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5575) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5581) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5588) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5614) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5619) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5625) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5639) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5646) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5655) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5659) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5666) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5674) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5680) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5684) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5695) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5703) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5709) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5713) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5722) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5726) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5735) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5739) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5746) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5750) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5760) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5764) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5770) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5777) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5787) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5791) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5800) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5804) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5813) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5817) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5826) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5832) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5841) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5845) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5854) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5860) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5868) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5877) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5881) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5889) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5894) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.14:56978 -> 95.234.158.87:6780 NICK [OSX|ARM4T]GZT45PcS USER GZT45PcS localhost localhost :GZT45PcS
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 56978 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56980 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56982 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56984 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56986 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56990 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56992 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56994 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56996 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56998 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57000 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57002 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57004 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57006 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57008 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57010 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57012 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57014 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57016 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57018 -> 6780
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.14:56978 -> 95.234.158.87:6780
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: yakuza.arm7.elf String found in binary or memory: http://linux-it.abuser.eu/yak.sh;
Source: yakuza.arm7.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.arm7.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: yakuza.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: yakuza.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5503.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5507.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 Author: unknown
Source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 Author: unknown
Source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm7.elf PID: 5503, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm7.elf PID: 5507, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample and/or dropped files contains symbols with suspicious names
Source: yakuza.arm7.elf ELF static info symbol of initial sample: __gnu_unwind_execute
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Yara signature match
Source: yakuza.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: yakuza.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: yakuza.arm7.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5503.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5507.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_6a510422 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 8ee116ff41236771cdc8dc4b796c3b211502413ae631d5b5aedbbaa2eccc3b75, id = 6a510422-3662-4fdb-9c03-0101f16e87cd, last_modified = 2021-09-16
Source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_d2953f92 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 276c6d62a8a335d0e2421b6b5b90c2c0eb69eec294bc9fcdeb7743abbf08d8bc, id = d2953f92-62ee-428d-88c5-723914c88c6e, last_modified = 2021-09-16
Source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm7.elf PID: 5503, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm7.elf PID: 5507, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal72.troj.linELF@0/0@2/0
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1583/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1583/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/2672/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/2672/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1577/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1577/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3752/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3752/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3753/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3753/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3754/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3754/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3755/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3755/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/917/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/917/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1593/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1593/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/240/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/240/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3094/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3094/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/242/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/242/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3406/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3406/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/244/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/244/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1589/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1589/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/245/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/245/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1588/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/1588/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/246/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3402/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/3402/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/126/status Jump to behavior
Source: /usr/bin/pkill (PID: 5581) File opened: /proc/126/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.arm7.elf (PID: 5510) Shell command executed: /bin/sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5550) Shell command executed: /bin/sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5558) Shell command executed: /bin/sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5565) Shell command executed: /bin/sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5569) Shell command executed: /bin/sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5579) Shell command executed: /bin/sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5583) Shell command executed: /bin/sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5610) Shell command executed: /bin/sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5617) Shell command executed: /bin/sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5623) Shell command executed: /bin/sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5627) Shell command executed: /bin/sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5637) Shell command executed: /bin/sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5641) Shell command executed: /bin/sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5650) Shell command executed: /bin/sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5657) Shell command executed: /bin/sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.arm7.elf (PID: 5664) Shell command executed: /bin/sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
Source: /tmp/yakuza.arm7.elf (PID: 5668) Shell command executed: /bin/sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.arm7.elf (PID: 5678) Shell command executed: /bin/sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.arm7.elf (PID: 5682) Shell command executed: /bin/sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.arm7.elf (PID: 5690) Shell command executed: /bin/sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.arm7.elf (PID: 5697) Shell command executed: /bin/sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.arm7.elf (PID: 5707) Shell command executed: /bin/sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.arm7.elf (PID: 5711) Shell command executed: /bin/sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.arm7.elf (PID: 5717) Shell command executed: /bin/sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.arm7.elf (PID: 5724) Shell command executed: /bin/sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.arm7.elf (PID: 5730) Shell command executed: /bin/sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.arm7.elf (PID: 5737) Shell command executed: /bin/sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.arm7.elf (PID: 5744) Shell command executed: /bin/sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.arm7.elf (PID: 5748) Shell command executed: /bin/sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.arm7.elf (PID: 5754) Shell command executed: /bin/sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.arm7.elf (PID: 5762) Shell command executed: /bin/sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.arm7.elf (PID: 5768) Shell command executed: /bin/sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.arm7.elf (PID: 5772) Shell command executed: /bin/sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.arm7.elf (PID: 5782) Shell command executed: /bin/sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.arm7.elf (PID: 5789) Shell command executed: /bin/sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.arm7.elf (PID: 5795) Shell command executed: /bin/sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.arm7.elf (PID: 5802) Shell command executed: /bin/sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.arm7.elf (PID: 5808) Shell command executed: /bin/sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.arm7.elf (PID: 5815) Shell command executed: /bin/sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.arm7.elf (PID: 5822) Shell command executed: /bin/sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.arm7.elf (PID: 5830) Shell command executed: /bin/sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.arm7.elf (PID: 5836) Shell command executed: /bin/sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.arm7.elf (PID: 5843) Shell command executed: /bin/sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.arm7.elf (PID: 5849) Shell command executed: /bin/sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Source: /tmp/yakuza.arm7.elf (PID: 5858) Shell command executed: /bin/sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
Source: /tmp/yakuza.arm7.elf (PID: 5862) Shell command executed: /bin/sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"
Source: /tmp/yakuza.arm7.elf (PID: 5872) Shell command executed: /bin/sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"
Source: /tmp/yakuza.arm7.elf (PID: 5879) Shell command executed: /bin/sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"
Source: /tmp/yakuza.arm7.elf (PID: 5885) Shell command executed: /bin/sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"
Source: /tmp/yakuza.arm7.elf (PID: 5892) Shell command executed: /bin/sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5513) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 5556) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 5560) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 5567) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 5575) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 5581) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 5588) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 5614) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 5619) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 5625) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 5633) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 5639) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 5646) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 5655) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 5659) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids
Source: /bin/sh (PID: 5666) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86
Source: /bin/sh (PID: 5674) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 5680) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 5684) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 5695) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 5703) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 5709) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 5713) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 5722) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 5726) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 5735) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 5739) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 5746) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 5750) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 5760) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 5764) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 5770) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 5777) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 5787) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 5791) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 5800) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 5804) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 5813) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 5817) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 5826) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 5832) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 5841) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 5845) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 5854) Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 5860) Pkill executable: /usr/bin/pkill -> pkill -9 wget-log
Source: /bin/sh (PID: 5868) Pkill executable: /usr/bin/pkill -> pkill -9 1337SoraLOADER
Source: /bin/sh (PID: 5877) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKINA
Source: /bin/sh (PID: 5881) Pkill executable: /usr/bin/pkill -> pkill -9 ggtq
Source: /bin/sh (PID: 5889) Pkill executable: /usr/bin/pkill -> pkill -9 1378bfp919GRB1Q2
Source: /bin/sh (PID: 5894) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKUSO

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 56978 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56980 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56982 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56984 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56986 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56988 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56990 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56992 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56994 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56996 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 56998 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57000 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57002 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57004 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57006 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57008 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57010 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57012 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57014 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57016 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 57018 -> 6780
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5513) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5556) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5560) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5567) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5575) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5581) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5588) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5614) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5619) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5625) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5639) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5646) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5655) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5659) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5666) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5674) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5680) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5684) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5695) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5703) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5709) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5713) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5722) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5726) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5735) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5739) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5746) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5750) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5760) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5764) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5770) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5777) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5787) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5791) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5800) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5804) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5813) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5817) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5826) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5832) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5841) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5845) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5854) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5860) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5868) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5877) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5881) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5889) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5894) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/yakuza.arm7.elf (PID: 5503) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5547) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5557) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5564) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5568) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5578) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5582) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5591) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5616) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5622) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5626) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5636) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5640) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5649) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5656) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5663) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5667) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5677) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5681) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5687) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5696) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5704) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5710) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5714) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5723) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5727) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5736) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5741) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5747) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5753) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5761) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5765) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5771) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5779) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5788) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5792) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5801) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5805) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5814) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5818) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5829) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5833) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5842) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5846) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5857) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5861) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5871) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5878) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5884) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5891) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5897) Queries kernel information via 'uname':
Source: yakuza.arm7.elf, 5503.1.000055c0c739a000.000055c0c74c8000.rw-.sdmp, yakuza.arm7.elf, 5507.1.000055c0c739a000.000055c0c74c8000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/arm
Source: yakuza.arm7.elf, 5503.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp, yakuza.arm7.elf, 5507.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/yakuza.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yakuza.arm7.elf
Source: yakuza.arm7.elf, 5503.1.000055c0c739a000.000055c0c74c8000.rw-.sdmp, yakuza.arm7.elf, 5507.1.000055c0c739a000.000055c0c74c8000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: yakuza.arm7.elf, 5503.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp, yakuza.arm7.elf, 5507.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: yakuza.arm7.elf, 5507.1.00007ffe74a5b000.00007ffe74a7c000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm7.elf, type: SAMPLE
Source: Yara match File source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm7.elf, type: SAMPLE
Source: Yara match File source: 5507.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5503.1.00007fa380017000.00007fa380039000.r-x.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.234.158.87
 unknown Italy
3269 ASN-IBSNAZIT true

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true