Linux Analysis Report
yakuza.i586.elf

Overview

General Information

Sample name: yakuza.i586.elf
Analysis ID: 1561401
MD5: c57f4bba90b9810df5239d7e4ec8f5a9
SHA1: 66a758ca55e2efb85b5606ad3d8b70e69ea30abb
SHA256: 61daf676b1bdc71c3b719cbc1c6e7d39a267a131cb8951accb83b02be98a4d2d
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Mirai
Machine Learning detection for sample
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample and/or dropped files contains symbols with suspicious names
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Machine Learning detection for sample
Source: yakuza.i586.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5436) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5441) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5446) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5455) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5460) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5463) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5468) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5471) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5496) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5500) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5505) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5508) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5513) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5518) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5521) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5526) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5531) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5534) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5541) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5545) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5555) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5563) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5566) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5571) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5576) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5579) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5584) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5588) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5593) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5596) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5601) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5606) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5609) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5614) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5617) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5622) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5627) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5636) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5641) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5644) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5649) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5652) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.13:60584 -> 95.234.158.87:6780 NICK [OSX|x86_32]ZGD1oaq USER ZGD1oaq localhost localhost :ZGD1oaq
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 60584 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60584 -> 6780
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:60584 -> 95.234.158.87:6780
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 196.69.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 152.33.68.218
Source: unknown TCP traffic detected without corresponding DNS query: 251.1.213.172
Source: unknown TCP traffic detected without corresponding DNS query: 95.223.93.183
Source: unknown TCP traffic detected without corresponding DNS query: 166.29.98.117
Source: unknown TCP traffic detected without corresponding DNS query: 60.6.138.212
Source: unknown TCP traffic detected without corresponding DNS query: 39.78.48.235
Source: unknown TCP traffic detected without corresponding DNS query: 147.16.128.15
Source: unknown TCP traffic detected without corresponding DNS query: 146.139.99.56
Source: unknown TCP traffic detected without corresponding DNS query: 191.54.163.229
Source: unknown TCP traffic detected without corresponding DNS query: 139.229.100.178
Source: unknown TCP traffic detected without corresponding DNS query: 179.148.30.198
Source: unknown TCP traffic detected without corresponding DNS query: 84.133.219.16
Source: unknown TCP traffic detected without corresponding DNS query: 18.213.188.113
Source: unknown TCP traffic detected without corresponding DNS query: 165.30.213.183
Source: unknown TCP traffic detected without corresponding DNS query: 116.146.168.169
Source: unknown TCP traffic detected without corresponding DNS query: 94.153.1.50
Source: unknown TCP traffic detected without corresponding DNS query: 171.208.68.62
Source: unknown TCP traffic detected without corresponding DNS query: 92.39.118.155
Source: unknown TCP traffic detected without corresponding DNS query: 194.38.94.118
Source: unknown TCP traffic detected without corresponding DNS query: 187.124.61.224
Source: unknown TCP traffic detected without corresponding DNS query: 32.220.193.43
Source: unknown TCP traffic detected without corresponding DNS query: 27.147.152.15
Source: unknown TCP traffic detected without corresponding DNS query: 145.124.16.237
Source: unknown TCP traffic detected without corresponding DNS query: 164.7.9.130
Source: unknown TCP traffic detected without corresponding DNS query: 53.153.168.26
Source: unknown TCP traffic detected without corresponding DNS query: 38.192.56.82
Source: unknown TCP traffic detected without corresponding DNS query: 155.202.33.87
Source: unknown TCP traffic detected without corresponding DNS query: 198.221.56.97
Source: unknown TCP traffic detected without corresponding DNS query: 17.169.106.34
Source: unknown TCP traffic detected without corresponding DNS query: 113.80.112.24
Source: unknown TCP traffic detected without corresponding DNS query: 165.122.143.201
Source: unknown TCP traffic detected without corresponding DNS query: 129.152.203.162
Source: unknown TCP traffic detected without corresponding DNS query: 163.0.226.11
Source: unknown TCP traffic detected without corresponding DNS query: 117.79.53.145
Source: unknown TCP traffic detected without corresponding DNS query: 180.161.194.38
Source: unknown TCP traffic detected without corresponding DNS query: 153.213.232.97
Source: unknown TCP traffic detected without corresponding DNS query: 113.179.62.3
Source: unknown TCP traffic detected without corresponding DNS query: 25.42.251.14
Source: unknown TCP traffic detected without corresponding DNS query: 220.40.37.130
Source: unknown TCP traffic detected without corresponding DNS query: 78.152.198.113
Source: unknown TCP traffic detected without corresponding DNS query: 121.177.159.20
Source: yakuza.i586.elf String found in binary or memory: http://linux-it.abuser.eu/yak.sh;
Source: yakuza.i586.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.i586.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_c573932b Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_750fe002 Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_7167d08f Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_c573932b Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_750fe002 Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_7167d08f Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_6b3974b2 Author: unknown
Source: Process Memory Space: yakuza.i586.elf PID: 5431, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample and/or dropped files contains symbols with suspicious names
Source: yakuza.i586.elf ELF static info symbol of initial sample: passwords
Source: yakuza.i586.elf ELF static info symbol of initial sample: usernames
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Yara signature match
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_c573932b reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 18a3025ebb8af46605970ee8d7d18214854b86200001d576553e102cb71df266, id = c573932b-9b3f-4ab7-a6b6-32dcc7473790, last_modified = 2021-09-16
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_750fe002 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f51347158a6477b0da4ed4df3374fbad92b6ac137aa4775f83035d1e30cba7dc, id = 750fe002-cac1-4832-94d2-212aa5ec17e3, last_modified = 2021-09-16
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_7167d08f reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = b9df4ab322a2a329168f684b07b7b05ee3d03165c5b9050a4710eae7aeca6cd9, id = 7167d08f-bfeb-4d78-9783-3a1df2ef0ed3, last_modified = 2021-09-16
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: yakuza.i586.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_c573932b reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 18a3025ebb8af46605970ee8d7d18214854b86200001d576553e102cb71df266, id = c573932b-9b3f-4ab7-a6b6-32dcc7473790, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_5bf62ce4 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ffc398303f7208e77c4fbdfb50ac896e531b7cee3be2fa820bc8d70cfb20af3, id = 5bf62ce4-619b-4d46-b221-c5bf552474bb, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_750fe002 reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f51347158a6477b0da4ed4df3374fbad92b6ac137aa4775f83035d1e30cba7dc, id = 750fe002-cac1-4832-94d2-212aa5ec17e3, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_7167d08f reference_sample = 4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = b9df4ab322a2a329168f684b07b7b05ee3d03165c5b9050a4710eae7aeca6cd9, id = 7167d08f-bfeb-4d78-9783-3a1df2ef0ed3, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_0fa3a6e9 reference_sample = 40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = fed796c5275e2e91c75dcdbf73d0c0ab37591115989312c6f6c5adcd138bc91f, id = 0fa3a6e9-89f3-4bc8-8dc1-e9ccbeeb836d, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_6b3974b2 reference_sample = 2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 942a35f7acacf1d07577fe159a34dc7b04e5d07ff32ea13be975cfeea23e34be, id = 6b3974b2-fd7f-4ebf-8aba-217761e7b846, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.i586.elf PID: 5431, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal68.troj.linELF@0/0@0/0
Source: yakuza.i586.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crt1.S
Source: yakuza.i586.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crti.S
Source: yakuza.i586.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/crtn.S
Source: yakuza.i586.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/mmap.S
Source: yakuza.i586.elf ELF static info symbol of initial sample: libc/sysdeps/linux/i386/vfork.S
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/5380/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/5380/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/238/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/238/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/239/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/239/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/914/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/914/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/917/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/917/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/5275/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/5275/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/240/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/240/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/3095/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/3095/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/241/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/241/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/242/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/242/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/244/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/244/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/245/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/245/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/1588/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/1588/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pkill (PID: 5460) File opened: /proc/246/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.i586.elf (PID: 5435) Shell command executed: sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5440) Shell command executed: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5445) Shell command executed: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5454) Shell command executed: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5459) Shell command executed: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5462) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5467) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5470) Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5495) Shell command executed: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5499) Shell command executed: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5504) Shell command executed: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5507) Shell command executed: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5512) Shell command executed: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5517) Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5520) Shell command executed: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.i586.elf (PID: 5525) Shell command executed: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
Source: /tmp/yakuza.i586.elf (PID: 5530) Shell command executed: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.i586.elf (PID: 5533) Shell command executed: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.i586.elf (PID: 5540) Shell command executed: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.i586.elf (PID: 5544) Shell command executed: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.i586.elf (PID: 5549) Shell command executed: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.i586.elf (PID: 5554) Shell command executed: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.i586.elf (PID: 5557) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.i586.elf (PID: 5562) Shell command executed: sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.i586.elf (PID: 5565) Shell command executed: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.i586.elf (PID: 5570) Shell command executed: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.i586.elf (PID: 5575) Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.i586.elf (PID: 5578) Shell command executed: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.i586.elf (PID: 5581) Shell command executed: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.i586.elf (PID: 5587) Shell command executed: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.i586.elf (PID: 5592) Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.i586.elf (PID: 5595) Shell command executed: sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.i586.elf (PID: 5600) Shell command executed: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.i586.elf (PID: 5605) Shell command executed: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.i586.elf (PID: 5608) Shell command executed: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.i586.elf (PID: 5613) Shell command executed: sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.i586.elf (PID: 5616) Shell command executed: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.i586.elf (PID: 5621) Shell command executed: sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.i586.elf (PID: 5626) Shell command executed: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.i586.elf (PID: 5632) Shell command executed: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.i586.elf (PID: 5635) Shell command executed: sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.i586.elf (PID: 5640) Shell command executed: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.i586.elf (PID: 5643) Shell command executed: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.i586.elf (PID: 5648) Shell command executed: sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Source: /tmp/yakuza.i586.elf (PID: 5651) Shell command executed: sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5436) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 5441) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 5446) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 5455) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 5460) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 5463) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 5468) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 5471) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 5496) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 5500) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 5505) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 5508) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 5513) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 5518) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 5521) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids Jump to behavior
Source: /bin/sh (PID: 5526) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86
Source: /bin/sh (PID: 5531) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 5534) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 5541) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 5545) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 5550) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 5555) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 5558) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 5563) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 5566) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 5571) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 5576) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 5579) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 5584) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 5588) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 5593) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 5596) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 5601) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 5606) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 5609) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 5614) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 5617) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 5622) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 5627) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 5633) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 5636) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 5641) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 5644) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 5649) Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 5652) Pkill executable: /usr/bin/pkill -> pkill -9 wget-log

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 60584 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60584 -> 6780
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5436) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5441) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5446) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5455) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5460) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5463) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5468) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5471) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5496) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5500) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5505) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5508) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5513) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5518) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5521) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5526) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5531) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5534) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5541) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5545) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5555) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5558) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5563) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5566) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5571) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5576) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5579) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5584) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5588) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5593) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5596) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5601) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5606) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5609) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5614) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5617) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5622) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5627) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5636) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5641) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5644) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5649) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5652) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/busybox (PID: 5437) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5442) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5453) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5458) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5461) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5466) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5469) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5474) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5498) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5503) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5506) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5511) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5514) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5519) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5524) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5527) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5532) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5537) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5543) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5548) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5551) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5556) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5561) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5564) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5569) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5572) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5577) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5580) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5585) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5591) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5594) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5599) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5602) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5607) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5612) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5615) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5620) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5623) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5630) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5634) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5639) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5642) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5647) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5650) Queries kernel information via 'uname':

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.i586.elf, type: SAMPLE
Source: Yara match File source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.i586.elf, type: SAMPLE
Source: Yara match File source: 5431.1.0000000008048000.000000000805e000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.10.23.113
 unknown United Kingdom
5089 NTLGB false
197.208.84.127
 unknown Sudan
36998 SDN-MOBITELSD false
204.15.220.137
 unknown United States
31915 MOJOBROADBANDUS false
32.78.111.111
 unknown United States
2686 ATGS-MMD-ASUS false
196.246.50.95
 unknown South Africa
37518 FIBERGRIDSC false
53.85.179.169
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
74.178.243.168
 unknown United States
10796 TWC-10796-MIDWESTUS false
153.146.184.220
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
15.105.241.125
 unknown United States
13979 ATT-IPFRUS false
80.122.26.207
 unknown Austria
8447 TELEKOM-ATA1TelekomAustriaAGAT false
123.58.241.44
 unknown China
133119 UNICOM-CNChinaUnicomIPnetworkCN false
151.19.190.231
 unknown Italy
1267 ASN-WINDTREIUNETEU false
152.226.212.173
 unknown Singapore
9292 TEMASEK-POLY-ASTemasekPolytechnicSingaporeSG false
209.220.62.241
 unknown United States
2828 XO-AS15US false
121.18.77.106
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
82.122.217.132
 unknown France
3215 FranceTelecom-OrangeFR false
42.57.207.145
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
86.90.25.203
 unknown Netherlands
1136 KPNKPNNationalEU false
84.198.174.3
 unknown Belgium
6848 TELENET-ASBE false
110.109.22.104
 unknown China
134810 CMNET-JILIN-AS-APChinaMobileGroupJiLincommunicationsco false
217.138.92.9
 unknown United Kingdom
20952 VENUS-INTERNET-ASGB false
213.10.15.8
 unknown Netherlands
1136 KPNKPNNationalEU false
49.65.166.11
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
21.145.183.166
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
213.124.215.249
 unknown Netherlands
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
135.65.41.16
 unknown United States
18676 AVAYAUS false
123.141.224.239
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
214.169.112.111
 unknown United States
721 DNIC-ASBLK-00721-00726US false
211.193.123.206
 unknown Korea Republic of
10056 HDMF-ASHyundaiMarinFireInsuranceKR false
12.113.241.176
 unknown United States
7018 ATT-INTERNET4US false
52.83.247.197
 unknown China
135629 WESTCLOUDDATANingxiaWestCloudDataTechnologyCoLtdCN false
139.121.41.93
 unknown United States
188 SAIC-ASUS false
150.201.77.96
 unknown United States
2572 MORENETUS false
48.29.143.98
 unknown United States
2686 ATGS-MMD-ASUS false
61.5.220.91
 unknown New Caledonia
18200 OPT-NC-AS-APOfficedesPostesetTelecommunicationsNew-Cal false
171.145.10.198
 unknown United States
9874 STARHUB-MOBILEStarHubLtdSG false
124.98.211.165
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP false
71.88.149.138
 unknown United States
20115 CHARTER-20115US false
204.212.47.89
 unknown United States
1239 SPRINTLINKUS false
71.81.131.73
 unknown United States
20115 CHARTER-20115US false
111.69.223.51
 unknown New Zealand
23655 SNAP-NZ-ASSnapInternetLimitedNZ false
216.247.181.91
 unknown Canada
13768 COGECO-PEER1CA false
39.0.160.105
 unknown China
174 COGENT-174US false
70.232.223.232
 unknown United States
7018 ATT-INTERNET4US false
109.166.48.174
 unknown Romania
49074 TECHNOLOGICALRO false
6.173.160.119
 unknown United States
3356 LEVEL3US false
153.39.210.132
 unknown United States
3371 MCI-ASNUS false
106.68.70.250
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
128.249.119.151
 unknown United States
302 BCM-INFO-NET-ASUS false
9.167.215.175
 unknown United States
3356 LEVEL3US false
45.75.223.38
 unknown United Kingdom
49425 DIGITAL-REALTY-UKGB false
94.33.66.117
 unknown Italy
8612 TISCALI-IT false
121.171.63.208
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
27.148.239.133
 unknown China
133775 CHINATELECOM-FUJIAN-XIAMEN-IDC1XiamenCN false
210.172.69.121
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
171.103.183.44
 unknown Thailand
7470 TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH false
183.38.246.197
 unknown China
4816 CHINANET-IDC-GDChinaTelecomGroupCN false
165.243.116.42
 unknown Korea Republic of
4668 LGNET-AS-KRLGCNSKR false
157.160.17.19
 unknown United States
22192 SSHENETUS false
34.210.73.191
 unknown United States
16509 AMAZON-02US false
222.100.31.14
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
34.38.227.4
 unknown United States
2686 ATGS-MMD-ASUS false
86.108.246.87
 unknown Turkey
16135 TURKCELL-ASTurkcellASTR false
198.249.109.158
 unknown United States
20177 EMPORIA-STATE-UNIVERSITYUS false
211.247.104.178
 unknown Korea Republic of
9756 CHEONANVITSSEN-AS-KRTbroadChungbuBroadcastingCoKR false
151.96.87.208
 unknown Italy
8217 ASN-ENIIT false
183.120.8.40
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
78.95.111.232
 unknown Saudi Arabia
39891 ALJAWWALSTC-ASSA false
141.120.221.57
 unknown Australia
6 BULL-HNUS false
109.27.109.8
 unknown France
15557 LDCOMNETFR false
174.9.16.182
 unknown United States
6327 SHAWCA false
90.177.165.35
 unknown Czech Republic
5610 O2-CZECH-REPUBLICCZ false
183.192.227.218
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
122.66.198.28
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
60.156.81.33
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
150.98.41.186
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
22.195.105.156
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
72.3.215.131
 unknown United States
33070 RMH-14US false
97.14.248.217
 unknown United States
22394 CELLCOUS false
161.37.102.84
 unknown Spain
158 ERI-ASUS false
74.30.218.236
 unknown United States
7922 COMCAST-7922US false
196.28.21.100
 unknown South Africa
10474 OPTINETZA false
191.69.73.239
 unknown Colombia
26611 COMCELSACO false
223.249.118.109
 unknown China
9812 CNNIC-CN-COLNETOrientalCableNetworkCoLtdCN false
128.126.155.77
 unknown United States
21497 UMC-ASUA false
92.98.121.41
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE false
159.72.44.121
 unknown Sweden
1257 TELE2EU false
213.97.36.8
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
198.81.133.234
 unknown United States
7046 RFC2270-UUNET-CUSTOMERUS false
162.36.0.12
 unknown United States
35893 ACPCA false
215.175.35.121
 unknown United States
721 DNIC-ASBLK-00721-00726US false
92.178.190.62
 unknown France
12479 UNI2-ASES false
131.139.159.131
 unknown Canada
3766 SSC-299-Z-3766CA false
241.57.195.194
 unknown Reserved
unknown unknown false
89.239.53.157
 unknown United States
25853 ELJY30540US false
61.187.67.67
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
58.243.174.5
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
159.170.34.169
 unknown United Kingdom
28686 AVECTRIS-ASCH false
52.221.94.55
 unknown United States
16509 AMAZON-02US false
22.54.216.176
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false