Linux Analysis Report
yakuza.arm4.elf

Overview

General Information

Sample name: yakuza.arm4.elf
Analysis ID: 1561403
MD5: 40eaafab329b57c06e41187911820918
SHA1: dc275d568e2439205e848c555f55d49241b8a7cc
SHA256: a7fa91f5eafa3d3da75a5468c2a8dec879db0a4adf6360b55d430c4d33f10985
Tags: elfuser-abuse_ch
Infos:

Detection

Mirai
Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are user agent strings indicative of HTTP manipulation
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yakuza.arm4.elf ReversingLabs: Detection: 60%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5512) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5546) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5559) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5563) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5573) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5577) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5584) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5615) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5622) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5637) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5646) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5653) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5662) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5669) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5676) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5686) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5693) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5702) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5709) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5720) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5727) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5734) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5741) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5755) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5759) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5768) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5775) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5781) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5789) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5798) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5805) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5812) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5821) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5828) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5839) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5843) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5852) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5859) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5868) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5875) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5879) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5889) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5896) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5905) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5909) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5920) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5927) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5934) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5941) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5945) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5955) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5962) Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking
barindex
Uses IRC for communication with a C&C
Source: unknown IRC traffic detected: 192.168.2.13:60600 -> 95.234.158.87:6780 NICK [OSX|ARM3]ET1x USER ET1x localhost localhost :ET1x
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 60600 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60602 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60604 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60606 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60608 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60610 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60612 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60614 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60616 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60618 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60620 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60622 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60624 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60626 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60628 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60630 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60632 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60634 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60636 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60638 -> 6780
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:60600 -> 95.234.158.87:6780
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: unknown TCP traffic detected without corresponding DNS query: 95.234.158.87
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: yakuza.arm4.elf String found in binary or memory: http://linux-it.abuser.eu/yak.sh;
Source: yakuza.arm4.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQ
Source: yakuza.arm4.elf String found in binary or memory: https://youtu.be/dQw4w9WgXcQNever

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yakuza.arm4.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5497.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: 5501.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm4.elf PID: 5497, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Source: Process Memory Space: yakuza.arm4.elf PID: 5501, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be Author: unknown
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %s
Source: Initial sample String containing 'busybox' found: pkill -9 %s || busybox pkill -9 %shistory -c;history -wcd /root;rm -f .bash_historycd /var/tmp; rm -f *NOTICE %s :MOVE <server>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Yara signature match
Source: yakuza.arm4.elf, type: SAMPLE Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5497.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: 5501.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm4.elf PID: 5497, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: Process Memory Space: yakuza.arm4.elf PID: 5501, type: MEMORYSTR Matched rule: Linux_Trojan_Tsunami_8a11f9be reference_sample = 1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Tsunami, fingerprint = 91e2572a3bb8583e20042578e95e1746501c6a71ef7635af2c982a05b18d7c6d, id = 8a11f9be-dc85-4695-9f38-80ca0304780e, last_modified = 2021-09-16
Source: classification engine Classification label: mal72.troj.linELF@0/0@2/0
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Source: yakuza.arm4.elf ELF static info symbol of initial sample: /home/firmware/build/temp-armv4l/gcc-core/gcc/config/arm/lib1funcs.asm
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/230/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/230/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/232/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/232/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/236/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/236/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/237/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/237/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/238/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/238/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/239/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/239/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/914/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/914/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/917/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/917/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/19/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/19/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/240/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/240/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/3095/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/3095/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/241/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/241/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/242/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/242/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/244/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/244/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/245/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/245/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/1588/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/1588/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/125/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/125/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/246/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/246/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/126/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/126/cmdline
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/5/status
Source: /usr/bin/pkill (PID: 5781) File opened: /proc/5/cmdline
Executes commands using a shell command-line interpreter
Source: /tmp/yakuza.arm4.elf (PID: 5504) Shell command executed: sh -c "pkill -9 902i13 || busybox pkill -9 902i13" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5539) Shell command executed: sh -c "pkill -9 BzSxLxBxeY || busybox pkill -9 BzSxLxBxeY" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5548) Shell command executed: sh -c "pkill -9 HOHO-LUGO7 || busybox pkill -9 HOHO-LUGO7" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5554) Shell command executed: sh -c "pkill -9 HOHO-U79OL || busybox pkill -9 HOHO-U79OL" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5561) Shell command executed: sh -c "pkill -9 JuYfouyf87 || busybox pkill -9 JuYfouyf87" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5565) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5575) Shell command executed: sh -c "pkill -9 SO190Ij1X || busybox pkill -9 SO190Ij1X" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5579) Shell command executed: sh -c "pkill -9 LOLKIKEEEDDE || busybox pkill -9 LOLKIKEEEDDE" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5610) Shell command executed: sh -c "pkill -9 ekjheory98e || busybox pkill -9 ekjheory98e" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5617) Shell command executed: sh -c "pkill -9 scansh4 || busybox pkill -9 scansh4" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5627) Shell command executed: sh -c "pkill -9 MDMA || busybox pkill -9 MDMA" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5635) Shell command executed: sh -c "pkill -9 fdevalvex || busybox pkill -9 fdevalvex" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5641) Shell command executed: sh -c "pkill -9 scanspc || busybox pkill -9 scanspc" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5648) Shell command executed: sh -c "pkill -9 MELTEDNINJAREALZ || busybox pkill -9 MELTEDNINJAREALZ" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5657) Shell command executed: sh -c "pkill -9 flexsonskids || busybox pkill -9 flexsonskids" Jump to behavior
Source: /tmp/yakuza.arm4.elf (PID: 5664) Shell command executed: sh -c "pkill -9 scanx86 || busybox pkill -9 scanx86"
Source: /tmp/yakuza.arm4.elf (PID: 5671) Shell command executed: sh -c "pkill -9 MISAKI-U79OL || busybox pkill -9 MISAKI-U79OL"
Source: /tmp/yakuza.arm4.elf (PID: 5680) Shell command executed: sh -c "pkill -9 foAxi102kxe || busybox pkill -9 foAxi102kxe"
Source: /tmp/yakuza.arm4.elf (PID: 5688) Shell command executed: sh -c "pkill -9 swodjwodjwoj || busybox pkill -9 swodjwodjwoj"
Source: /tmp/yakuza.arm4.elf (PID: 5697) Shell command executed: sh -c "pkill -9 MmKiy7f87l || busybox pkill -9 MmKiy7f87l"
Source: /tmp/yakuza.arm4.elf (PID: 5704) Shell command executed: sh -c "pkill -9 freecookiex86 || busybox pkill -9 freecookiex86"
Source: /tmp/yakuza.arm4.elf (PID: 5715) Shell command executed: sh -c "pkill -9 sysgpu || busybox pkill -9 sysgpu"
Source: /tmp/yakuza.arm4.elf (PID: 5722) Shell command executed: sh -c "pkill -9 NiGGeR69xd || busybox pkill -9 NiGGeR69xd"
Source: /tmp/yakuza.arm4.elf (PID: 5729) Shell command executed: sh -c "pkill -9 frgege || busybox pkill -9 frgege"
Source: /tmp/yakuza.arm4.elf (PID: 5739) Shell command executed: sh -c "pkill -9 sysupdater || busybox pkill -9 sysupdater"
Source: /tmp/yakuza.arm4.elf (PID: 5743) Shell command executed: sh -c "pkill -9 0DnAzepd || busybox pkill -9 0DnAzepd"
Source: /tmp/yakuza.arm4.elf (PID: 5749) Shell command executed: sh -c "pkill -9 NiGGeRD0nks69 || busybox pkill -9 NiGGeRD0nks69"
Source: /tmp/yakuza.arm4.elf (PID: 5757) Shell command executed: sh -c "pkill -9 frgreu || busybox pkill -9 frgreu"
Source: /tmp/yakuza.arm4.elf (PID: 5763) Shell command executed: sh -c "pkill -9 telnetd || busybox pkill -9 telnetd"
Source: /tmp/yakuza.arm4.elf (PID: 5770) Shell command executed: sh -c "pkill -9 0x766f6964 || busybox pkill -9 0x766f6964"
Source: /tmp/yakuza.arm4.elf (PID: 5779) Shell command executed: sh -c "pkill -9 NiGGeRd0nks1337 || busybox pkill -9 NiGGeRd0nks1337"
Source: /tmp/yakuza.arm4.elf (PID: 5783) Shell command executed: sh -c "pkill -9 gaft || busybox pkill -9 gaft"
Source: /tmp/yakuza.arm4.elf (PID: 5793) Shell command executed: sh -c "pkill -9 urasgbsigboa || busybox pkill -9 urasgbsigboa"
Source: /tmp/yakuza.arm4.elf (PID: 5800) Shell command executed: sh -c "pkill -9 120i3UI49 || busybox pkill -9 120i3UI49"
Source: /tmp/yakuza.arm4.elf (PID: 5807) Shell command executed: sh -c "pkill -9 OaF3 || busybox pkill -9 OaF3"
Source: /tmp/yakuza.arm4.elf (PID: 5816) Shell command executed: sh -c "pkill -9 geae || busybox pkill -9 geae"
Source: /tmp/yakuza.arm4.elf (PID: 5823) Shell command executed: sh -c "pkill -9 vaiolmao || busybox pkill -9 vaiolmao"
Source: /tmp/yakuza.arm4.elf (PID: 5833) Shell command executed: sh -c "pkill -9 123123a || busybox pkill -9 123123a"
Source: /tmp/yakuza.arm4.elf (PID: 5841) Shell command executed: sh -c "pkill -9 Ofurain0n4H34D || busybox pkill -9 Ofurain0n4H34D"
Source: /tmp/yakuza.arm4.elf (PID: 5847) Shell command executed: sh -c "pkill -9 ggTrex || busybox pkill -9 ggTrex"
Source: /tmp/yakuza.arm4.elf (PID: 5854) Shell command executed: sh -c "pkill -9 wasads || busybox pkill -9 wasads"
Source: /tmp/yakuza.arm4.elf (PID: 5863) Shell command executed: sh -c "pkill -9 1293194hjXD || busybox pkill -9 1293194hjXD"
Source: /tmp/yakuza.arm4.elf (PID: 5870) Shell command executed: sh -c "pkill -9 OthLaLosn || busybox pkill -9 OthLaLosn"
Source: /tmp/yakuza.arm4.elf (PID: 5877) Shell command executed: sh -c "pkill -9 ggt || busybox pkill -9 ggt"
Source: /tmp/yakuza.arm4.elf (PID: 5883) Shell command executed: sh -c "pkill -9 wget-log || busybox pkill -9 wget-log"
Source: /tmp/yakuza.arm4.elf (PID: 5891) Shell command executed: sh -c "pkill -9 1337SoraLOADER || busybox pkill -9 1337SoraLOADER"
Source: /tmp/yakuza.arm4.elf (PID: 5900) Shell command executed: sh -c "pkill -9 SAIAKINA || busybox pkill -9 SAIAKINA"
Source: /tmp/yakuza.arm4.elf (PID: 5907) Shell command executed: sh -c "pkill -9 ggtq || busybox pkill -9 ggtq"
Source: /tmp/yakuza.arm4.elf (PID: 5915) Shell command executed: sh -c "pkill -9 1378bfp919GRB1Q2 || busybox pkill -9 1378bfp919GRB1Q2"
Source: /tmp/yakuza.arm4.elf (PID: 5922) Shell command executed: sh -c "pkill -9 SAIAKUSO || busybox pkill -9 SAIAKUSO"
Source: /tmp/yakuza.arm4.elf (PID: 5929) Shell command executed: sh -c "pkill -9 ggtr || busybox pkill -9 ggtr"
Source: /tmp/yakuza.arm4.elf (PID: 5939) Shell command executed: sh -c "pkill -9 14Fa || busybox pkill -9 14Fa"
Source: /tmp/yakuza.arm4.elf (PID: 5943) Shell command executed: sh -c "pkill -9 SEXSLAVE1337 || busybox pkill -9 SEXSLAVE1337"
Source: /tmp/yakuza.arm4.elf (PID: 5949) Shell command executed: sh -c "pkill -9 ggtt || busybox pkill -9 ggtt"
Source: /tmp/yakuza.arm4.elf (PID: 5957) Shell command executed: sh -c "pkill -9 1902a3u912u3u4 || busybox pkill -9 1902a3u912u3u4"
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 5512) Pkill executable: /usr/bin/pkill -> pkill -9 902i13 Jump to behavior
Source: /bin/sh (PID: 5546) Pkill executable: /usr/bin/pkill -> pkill -9 BzSxLxBxeY Jump to behavior
Source: /bin/sh (PID: 5550) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-LUGO7 Jump to behavior
Source: /bin/sh (PID: 5559) Pkill executable: /usr/bin/pkill -> pkill -9 HOHO-U79OL Jump to behavior
Source: /bin/sh (PID: 5563) Pkill executable: /usr/bin/pkill -> pkill -9 JuYfouyf87 Jump to behavior
Source: /bin/sh (PID: 5573) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd Jump to behavior
Source: /bin/sh (PID: 5577) Pkill executable: /usr/bin/pkill -> pkill -9 SO190Ij1X Jump to behavior
Source: /bin/sh (PID: 5584) Pkill executable: /usr/bin/pkill -> pkill -9 LOLKIKEEEDDE Jump to behavior
Source: /bin/sh (PID: 5615) Pkill executable: /usr/bin/pkill -> pkill -9 ekjheory98e Jump to behavior
Source: /bin/sh (PID: 5622) Pkill executable: /usr/bin/pkill -> pkill -9 scansh4 Jump to behavior
Source: /bin/sh (PID: 5633) Pkill executable: /usr/bin/pkill -> pkill -9 MDMA Jump to behavior
Source: /bin/sh (PID: 5637) Pkill executable: /usr/bin/pkill -> pkill -9 fdevalvex Jump to behavior
Source: /bin/sh (PID: 5646) Pkill executable: /usr/bin/pkill -> pkill -9 scanspc Jump to behavior
Source: /bin/sh (PID: 5653) Pkill executable: /usr/bin/pkill -> pkill -9 MELTEDNINJAREALZ Jump to behavior
Source: /bin/sh (PID: 5662) Pkill executable: /usr/bin/pkill -> pkill -9 flexsonskids Jump to behavior
Source: /bin/sh (PID: 5669) Pkill executable: /usr/bin/pkill -> pkill -9 scanx86
Source: /bin/sh (PID: 5676) Pkill executable: /usr/bin/pkill -> pkill -9 MISAKI-U79OL
Source: /bin/sh (PID: 5686) Pkill executable: /usr/bin/pkill -> pkill -9 foAxi102kxe
Source: /bin/sh (PID: 5693) Pkill executable: /usr/bin/pkill -> pkill -9 swodjwodjwoj
Source: /bin/sh (PID: 5702) Pkill executable: /usr/bin/pkill -> pkill -9 MmKiy7f87l
Source: /bin/sh (PID: 5709) Pkill executable: /usr/bin/pkill -> pkill -9 freecookiex86
Source: /bin/sh (PID: 5720) Pkill executable: /usr/bin/pkill -> pkill -9 sysgpu
Source: /bin/sh (PID: 5727) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeR69xd
Source: /bin/sh (PID: 5734) Pkill executable: /usr/bin/pkill -> pkill -9 frgege
Source: /bin/sh (PID: 5741) Pkill executable: /usr/bin/pkill -> pkill -9 sysupdater
Source: /bin/sh (PID: 5745) Pkill executable: /usr/bin/pkill -> pkill -9 0DnAzepd
Source: /bin/sh (PID: 5755) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRD0nks69
Source: /bin/sh (PID: 5759) Pkill executable: /usr/bin/pkill -> pkill -9 frgreu
Source: /bin/sh (PID: 5768) Pkill executable: /usr/bin/pkill -> pkill -9 telnetd
Source: /bin/sh (PID: 5775) Pkill executable: /usr/bin/pkill -> pkill -9 0x766f6964
Source: /bin/sh (PID: 5781) Pkill executable: /usr/bin/pkill -> pkill -9 NiGGeRd0nks1337
Source: /bin/sh (PID: 5789) Pkill executable: /usr/bin/pkill -> pkill -9 gaft
Source: /bin/sh (PID: 5798) Pkill executable: /usr/bin/pkill -> pkill -9 urasgbsigboa
Source: /bin/sh (PID: 5805) Pkill executable: /usr/bin/pkill -> pkill -9 120i3UI49
Source: /bin/sh (PID: 5812) Pkill executable: /usr/bin/pkill -> pkill -9 OaF3
Source: /bin/sh (PID: 5821) Pkill executable: /usr/bin/pkill -> pkill -9 geae
Source: /bin/sh (PID: 5828) Pkill executable: /usr/bin/pkill -> pkill -9 vaiolmao
Source: /bin/sh (PID: 5839) Pkill executable: /usr/bin/pkill -> pkill -9 123123a
Source: /bin/sh (PID: 5843) Pkill executable: /usr/bin/pkill -> pkill -9 Ofurain0n4H34D
Source: /bin/sh (PID: 5852) Pkill executable: /usr/bin/pkill -> pkill -9 ggTrex
Source: /bin/sh (PID: 5859) Pkill executable: /usr/bin/pkill -> pkill -9 wasads
Source: /bin/sh (PID: 5868) Pkill executable: /usr/bin/pkill -> pkill -9 1293194hjXD
Source: /bin/sh (PID: 5875) Pkill executable: /usr/bin/pkill -> pkill -9 OthLaLosn
Source: /bin/sh (PID: 5879) Pkill executable: /usr/bin/pkill -> pkill -9 ggt
Source: /bin/sh (PID: 5889) Pkill executable: /usr/bin/pkill -> pkill -9 wget-log
Source: /bin/sh (PID: 5896) Pkill executable: /usr/bin/pkill -> pkill -9 1337SoraLOADER
Source: /bin/sh (PID: 5905) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKINA
Source: /bin/sh (PID: 5909) Pkill executable: /usr/bin/pkill -> pkill -9 ggtq
Source: /bin/sh (PID: 5920) Pkill executable: /usr/bin/pkill -> pkill -9 1378bfp919GRB1Q2
Source: /bin/sh (PID: 5927) Pkill executable: /usr/bin/pkill -> pkill -9 SAIAKUSO
Source: /bin/sh (PID: 5934) Pkill executable: /usr/bin/pkill -> pkill -9 ggtr
Source: /bin/sh (PID: 5941) Pkill executable: /usr/bin/pkill -> pkill -9 14Fa
Source: /bin/sh (PID: 5945) Pkill executable: /usr/bin/pkill -> pkill -9 SEXSLAVE1337
Source: /bin/sh (PID: 5955) Pkill executable: /usr/bin/pkill -> pkill -9 ggtt
Source: /bin/sh (PID: 5962) Pkill executable: /usr/bin/pkill -> pkill -9 1902a3u912u3u4

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: IRC traffic on port 60600 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60602 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60604 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60606 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60608 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60610 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60612 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60614 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60616 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60618 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60620 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60622 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60624 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60626 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60628 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60630 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60632 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60634 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60636 -> 6780
Source: unknown Network traffic detected: IRC traffic on port 60638 -> 6780
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5512) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5546) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5550) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5559) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5563) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5573) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5577) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5584) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5615) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5622) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5633) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5637) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5646) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5653) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5662) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5669) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5676) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5686) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5693) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5702) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5709) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5720) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5727) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5734) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5741) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5745) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5755) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5759) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5768) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5775) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5781) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5789) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5798) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5805) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5812) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5821) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5828) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5839) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5843) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5852) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5859) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5868) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5875) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5879) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5889) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5896) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5905) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5909) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5920) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5927) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5934) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5941) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5945) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5955) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5962) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/yakuza.arm4.elf (PID: 5497) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5538) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5547) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5551) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5560) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5564) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5574) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5578) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5609) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5616) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5625) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5634) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5638) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5647) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5654) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/busybox (PID: 5663) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5670) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5679) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5687) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5696) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5703) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5710) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5721) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5728) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5738) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5742) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5748) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5756) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5762) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5769) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5776) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5782) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5790) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5799) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5806) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5815) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5822) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5831) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5840) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5846) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5853) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5860) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5869) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5876) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5882) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5890) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5899) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5906) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5910) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5921) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5928) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5937) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5942) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5948) Queries kernel information via 'uname':
Source: /usr/bin/busybox (PID: 5956) Queries kernel information via 'uname':
Source: yakuza.arm4.elf, 5497.1.000056357460a000.0000563574738000.rw-.sdmp, yakuza.arm4.elf, 5501.1.000056357460a000.0000563574738000.rw-.sdmp Binary or memory string: bt5V!/etc/qemu-binfmt/arm
Source: yakuza.arm4.elf, 5497.1.000056357460a000.0000563574738000.rw-.sdmp, yakuza.arm4.elf, 5501.1.000056357460a000.0000563574738000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: yakuza.arm4.elf, 5497.1.00007ffd50edf000.00007ffd50f00000.rw-.sdmp, yakuza.arm4.elf, 5501.1.00007ffd50edf000.00007ffd50f00000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: yakuza.arm4.elf, 5497.1.00007ffd50edf000.00007ffd50f00000.rw-.sdmp, yakuza.arm4.elf, 5501.1.00007ffd50edf000.00007ffd50f00000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/yakuza.arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/yakuza.arm4.elf
Source: yakuza.arm4.elf, 5501.1.00007ffd50edf000.00007ffd50f00000.rw-.sdmp Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm4.elf, type: SAMPLE
Source: Yara match File source: 5497.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5501.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY
Sample contains strings that are user agent strings indicative of HTTP manipulation
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.11) Gecko/20071128 Camino/1.5.4
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100628 myibrow/4alpha2
Source: Initial sample User agent string found: Mozilla/5.0 (Windows; U; Win 9x 4.90; SG; rv:1.9.2.4) Gecko/20101104 Netscape/9.1.0285
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 Lightning/4.0.2
Source: Initial sample User agent string found: Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Source: Initial sample User agent string found: Opera/9.80 (Windows NT 5.1; U;) Presto/2.7.62 Version/11.01
Source: Initial sample User agent string found: Mozilla/5.0 (X11; Linux x86_64; U; de; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 Opera 10.62
Source: Initial sample User agent string found: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Source: Initial sample User agent string found: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110517 Firefox/5.0 Fennec/5.0
Source: Initial sample User agent string found: Mozilla/5.0 (Android; Linux armv7l; rv:9.0) Gecko/20111216 Firefox/9.0 Fennec/9.0
Source: Initial sample User agent string found: Mozilla/5.0 (compatible; Teleca Q7; Brew 3.1.5; U; en) 480X800 LGE VX11000

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: yakuza.arm4.elf, type: SAMPLE
Source: Yara match File source: 5497.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5501.1.00007f91b8017000.00007f91b8033000.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.234.158.87
 unknown Italy
3269 ASN-IBSNAZIT true

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true